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which were used to connect the calling computer with the 
host system. 
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METHOD AND APPARATUS TO MONITOR It is a still further object of the invention to provide an 

AND LOCATE AN ELECTRONIC DEVICE improved means for inexpensively and reliably locating lost 

USING A SECURED INTELLIGENT AGENT or stolen items. 

VIA A GLOBAL NETWORK This invention also overcomes disadvantages associated 

RELATED APPLICATIONS ' ^ ** pri ° r ^ 

system or running applications. This is accomplished by 

This application is a continuation-in-part application of disposing the means for initiating communication with a 

U.S. application Ser. No. 08/826,098 filed on Mar. 24, 1997 host system in the firmware such as on the ROM BIOS or the 

which is a continuation-in-part application of application modem component of a client electronic device. This secu- 

Ser. No. 08/558,432 filed Nov. 15, 1995 now U.S. Pat. No. 10 rity system operates independently of the operating system 

5,764,892 which is a continuation-in-part of Ser. No. running on the electronic device. 

08/339,978 filed Nov. 15, 1994 now U.S. Pat. No. 5,715, i n addition, a feature whereby the security system trans- 

174; continuation-in-part application of U.S. application Ser. m its through the Internet is disclosed. This feature enables 

No. 08/871,221 filed on Jun. 9, 1997 which is a the security system to initiate a call to the host monitoring 

continuation-in-part application of application Ser. No. 15 system even when the client is simultaneously running a 

08/558,432 filed Nov. 15, 1995 which is a continuation-in- different Internet application. This represents an advantage 

part of Ser. No. 08/339,978 filed Nov. 15, 1994. OV er the prior art including co-pending Continuation-in-Part 

BACKGROUND OF THE INVENTION Application pet No. 08/558^) which is hereby incor- 

porated by reference, which could not transmit while an 

Many electronic devices, such as laptop computers and 20 application was using the modem since interference could 

cellular telephones, are becoming more compact and por- alert the user to the presence of the security system. This 

table. While such portability is extremely convenient for the security system operates independently of the operating 

user, it has given rise to an increased risk of theft. These system running on the electronic device, 
electronic devices are often very expensive and are easily 

lost or stolen. 25 SUMMARY OF THE INVENTION 

Previously, attempts have been made to provide means for ^ relates tQ a ^ ^ ^ melhod ^ 

retrieving lost or stolen items of various types. The simplest for retrieving lost or stolen electronic devices such as 

approach is marking the item with the name and the address We Ga ^ am ^ PCs (including stolen components such 

of the owner, or as cpu> ^ drives> et v c ) cablevis ion .devices, personal 

license number If the item falls into the hands of an honest di ital (pDAs) ; ccllular ctc . This 

person then the owner can be located. However, this enaWes elcctronic dcviccs to ^ or 

approach may not deter a thief who can remove visible monitorcd by ^p^g thereon an intelligent agent with a 

mar gs on e evice. pre-defined task set. This agent communicates with a pre- 

Password protection schemes are of dubious value in 35 selected host m onitoring sv ^ ftm W h^ h ^ ™p »Mft of mul- 

discouraging theft or retrieving an item. Although the data tiple services including; t racing location^ providing Jdentiy 

can be protected from theft, the computer hardware cannot fying indicia such as an electroWserial number (ESN)7and 

be found or retrieved. Another approach has been to place a electronically notifying th e ?nd useifcsmec of its location 

radio transmitter on the item. This has been done in the The agent hides within the software/firmware/hardware of 

context of automobile anti-theft devices. The police or a ^ the electronic device, and operates without interfering with 

commercial organization monitors the applicable radio fre- tf, e reg ular operation of the device. According to one 

quency to try to locate a stolen vehicle. This method is not embodiment of the invention, the Agent is disposed on the 

suitable for smaller items such as cellular telephones or ROMBSPS of the electronic device and the Agent takes 

laptop computers. First, it is inconvenient to disassemble control of the electronic device and its facilities during its 

such devices in order to attempt to install a transmitter 4S boot-up. According to another embodiment of the invention, 

therein. Second, there may not be any convenient space the Agent is disposed on the modem component of the 

available to affix such a transmitter. Furthermore, a rather electronic device and the Agent operates independently of 

elaborate monitoring service, including directional antennas the electronic device. Another embodiment of the Agent is 

or the like, is required to trace the source of radio transmis- on the processing unit (e.g., microprocessor) of the elec- 

slons - 50 tronic device. Yet another embodiment of tie Agent is a 

It is therefore an object of the invention to provide an hardware implementation, such as hard-wired circuitry or a 

improved means for tracing or locating smaller lost or stolen single integrated circuit. The Agent is further designed to 

objects, particularly laptop computers, cellular telephones, evade detection and resist attempts to disable it by an 

desktop computers and other small, portable electronic unauthorized user. 

devices or expensive home and office electronic equipment. 55 The invention overcomes disadvantages associated with 

It is also an object of the invention to provide an improved t he prior art by yielding a security device for small 

means for tracing such electronic devices which can be computers, cellular telephones and the like which can be 

installed without disassembly or physical alteration of the programmed as firmware onto the non-volatile memory 

devices concerned. (sucb as rq M BI OS, ROM , Flash ROM, EPROM, 

It is a further object of the invention to provide an 60 EE PROM or the l ike) of such devices. AccordinglyTho 

improved means for locating lost or stolen items, this means physical alteration is necessary or apparent to a thief. The 

being hidden from unauthorized users in order to reduce the existence of the security device is well cloaked and thus it 

risk of such means being disabled by the unauthorized user. cannot be readily located or disabled even if the possibility 

It is a still further object of the invention to provide an of its existence is suspected. Apparatuses and methods 

improved means for locating lost or stolen items which 65 according to the invention can be very cost effective, requir- 

actively resist attempts to disable the means by an unautho- ing relatively inexpensive modifications to software or hard- 

rized user. ware and operation of relatively few monitoring devices. 
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According to one aspect of the invention there is provided 
an electronic device with an integral security system. The 
security system includes means for sending signals to a 
remote station at spaced apart intervals of time. The signals 
include identifying indicia for the electronic device. The 
means for sending signals includes a telecommunications 
interface connectable to a telecommunications system, and 
means for dialing a preselected telecommunications number. 
In an alternative embodiment, signals are sent through a 
global network interface. This can be accomplished via the 
standard public telecommunications system which may be 
linked to a global network service provider, or through a 
private network (LAN) link to the global network. The 
remote station includes a telecommunications receiver hav- 
ing the preselected telecommunications number. The remote 
station and the electronic device may also simultaneously be 
connected through the global network. 

In one embodiment of the invention the electronic device 
is a computer, and the means for sending signals includes 
means for providing signals to the telecommunication inter- 
face to dial a preselected telecommunication number and 
send the identifying indicia. The telecommunication inter- 
face may be a modem. The means for providing signals may 
include security software installed as a firmware onto the 
non-volatile memory (such as ROM BIOS, ROM, Flash 
ROM, EPROM, EEPROM, or the tike) of the computer, a 
software program, a micro-code program, a digital signal 
processor ("DSP") program or a built-in function of the 
operating system. 

The security system may be recorded on the boot sector 
of a hard disk, on a hidden system file such as IO.SYS, 
MSDOS.SYS, IBMBIO.COM or IBMDOS.COM, or alter- 
natively on the ROM BIOS of the computer, or a combina- 
tion of both. The security system functions without inter- 
fering with the operating system or any running 
applications. The security system is loaded into memory 
whenever the electronic device is powered on or reset. It is 
loaded before the operating system. Alternatively, the secu- 
rity system may be recorded on the Flash ROM of the 
modem component of the electronic device. The security 
system functions independently of the main processor of the 
electronic device. Consequently, the security system as 
provided in either the ROM BIOS or the modem Flash ROM 
is operating system independent. 

^The Agent may be implemented in the firmware or 
software of any electronic device, such as a computer. 
Alternatively, the Agent may be implemented in any com- 
ponent of a computer, as with an electronic component such 
as the DSP in a modem or the CPU in the computer. 
Furthermore, the functionality of the Agent may be imple- 
mented in the circuitry of any hardware device capable of 
establishing a communication link through sending and 
receiving packets of data. 

There is provided according to another aspect of the 
invention a method for tracing lost or stolen electronic 
devices whereby a telecommunications interface is connect- 
able to a telecommunications system at a first telecommu- 
nications station. The method includes providing the elec- 
tronic device with means for sending signals to the 
telecommunications interface. The means is instructed by 
the agent to send first signals to the telecommunications 
interface that then calls a remote-telecommunications -sta- 
tionT These first signals contain the encoded identification 
(serial number) of the sending computer. Upon detecting an 
incoming signal, the remote-computer determines the iden- 
tification of the sending computer by decoding its serial 
number, and can retrieve the caller phone number from the 
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Telephone Company. The remote computer compares the 
serial number with a predefined listing of serial numbers of 
reported lost or stolen computers. The call will only be 
answered if the sending computer is on the predefined list. 
5 In an alternative embodiment, this call filtering feature can 
be removed and the remote computer will answer all incom- 
ing calls. 

In an alternative embodiment, if the remote computer 
answer the incoming call then the means for sending signals 
10 automatically sends second signals to the telecommunica- 
tions interface. The telecommunications interface then trans- 
mits identifying indicia for the device as well as any other 
pertinent information to the remote telecommunications 
station. 

15 There is provided according to another aspect of the 
invention a method for tracing lost or stolen electronic 
articles through a global network such as the Internet. The 
client computer sends DNS queries that contain encoded 
identification information to a remote station through the 

20 Internet. The remote station receives the queries and decodes 
the encoded identification information in order to determine 
if the client computer matches an entry on a list of reported 
lost or stolen computers. If so, the host sends a predefined 
response to the client computer indicating that it should 

25 initiate a traceroute to provide the host with the Internet 
communication links connecting the client computer to the 
host. Additionally, when the client computer receives this 
predefined response from the host it immediately attempts to 
contact the host via the telecommunications system. 

30 

BRIEF DESCRIPTION OF THE DRAWINGS 

These and other objects and advantages will become 
apparent by reference to the following detailed description 
and accompanying drawings, in which: 

FIG. 1 is a functional block diagram of a preferred 
embodiment of the electronic article surveillance system in 
accordance with the teachings of this invention. 

FIG. 2 is a simplified illustration of the functional block 
4Q diagram of FIG. 1 for the purpose of showing an illustrative 
embodiment of the present invention. 

FIGS. 3-1 and 3-2 is an illustrative embodiment in the 
form of a flowchart of the process by which the operating 
system and agent are able to start up and run simultaneously. 
45 FIG. 4A-1 and 4A-2 is an illustrative embodiment in the 
form of a flowchart showing the Agent's work cycle accord- 
ing to an embodiment of the invention. 

FIG. 4B is an illustrative embodiment in the form of a 
flowchart showing the routine for determining PCMCIA 
50 support in the electronic device. 

FIG. 4C is an illustrative embodiment in the form of a 
flowchart showing the modem call routine initiated by the 
Agent. 

FIG. 5 is an illustrative embodiment in the form of a 
55 flowchart showing the Agent startup loading sequence. 

FIGS. 6 A, 6B and 6C are illustrations of alternatives to 
loading of the Agent. 

FIG. 7A is a schematic block diagram illustrating the 
60 alternate embodiment of Segmented Agent. 

FIG. 7B is a flow chart of the Segmented Agent process. 
FIGS. 8A-F are block diagrams illustrating the alternate 
embodiment of Modem Agent. 

FIG. 9 is an illustrative embodiment in the form of a 
65 flowchart of a process by which the host identification and 
filtering subsystem identifies and filters out unwanted calls 
from agents. 
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FIG. 10A is a schematic showing an illustrative embodi- FIG. 18A is a high level diagram showing the elements 

ment of the encoding/decoding method whereby the moni- . and steps of creating and storing a validation key the first 

toring service would have to subscribe to 60 telephone time. 

numbers. PIG. 18B is a high level diagram showing the elements 

FIG. 10B is a schematic showing an illustrative embodi- 5 an d s t e ps of creating and checking a validation key. 

ment of the encoding/decoding method whereby the moni- piG. 19 is a high level diagram showing the elements and 

toring service would have to subscribe to 300 telephone stcps of crca ting and checking a validation key against 

numbers. stored databases. 

FIG. UA is an illustrative embodiment in the form of a fjg. 20 is a high level diagram showing computrace agent 

flowchart of a process by which the host telephone moni- elements associated with a birth certificate file, 

toring subsystem exchanges data with an agent. FIG. 21 is a high level diagram showing an event loop of 

FIG. 11B is an illustrative embodiment in the form of a a secure protocol component 

flowchart of a process by which the host Internet monitoring FIG. 22 is a high level diagram showing basic protocol of 

subsystem exchanges data wath an agent, rs the secure protocol component. 

FIG. 11C is an illustration of a manner in which the client ~~ . . . . . . . . 4l _ 

identification is encoded within the host name according to 23 » level d,a S tlm of the ste P s * ,he 

. f ... ° secure protocol component, 

one aspect of the invention. r r 

FIG. 12 is an illustrative embodiment in the form of a DESCRIPTION OF THE PREFERRED 

flowchart of the process by which the host notification 20 EMBODIMENTS 

subsystem, contained within the host computer, notifies System Overview 

end-users of the status of monitored devices. Referring to FIG. 1, the preferred embodiment of the 

FIGS. 13A and B are schematic diagrams illustrating the electronic article surveillance system is comprised of three 

embodiment in which the Agent resides in the CPU. main components: (1) client device A consisting of any one 

FIG. 14 is an illustrative embodiment in the form of a 25 of the electronic devices shown which have been implanted 

flowchart showing the conventional method of booting up a with the agent; (2) A telecommunication link B such as a 

personal computer with alternative loading points for the switched communications system, the Internet, radio tower, 

agent security system shown in broken lines. satellite and cable networks; and (3) The host monitoring 

FIG. 14A is an illustrative embodiment in the form of a s y stem c which controls the communications between the 

flowchart showing a method for startup loading of an agent 30 client device A and the ^ monitoring system C. 

security system according to an embodiment of the inven- Referring to FIG. 1, the client device can be a cablevision 

tion wherein the operating system boot sector is loaded with device ^ la P t0 P computer A3, or other type of electronic 

the agent device A4 including a cellular telephone or personal digital 

FIG. 14B is an illustrative embodiment in the form of a ? DA > H ° we p ver > *» illustrative purposes the 

flowchart wherein the hidden system fife IO.SYS or IBM- 35 ^7^™ ° f a cbent ^P" 1 " **■ ^ched to 

BIO.COM is modified to be loaded with the agent. " odeln M.Tte host momtonng system C sends and rcce.ves 

^ „ * 4 „ . ... . , „ „ data packets trom the client computer Al over a suitable 

fl mG u l 4C * aD J^tortive embodiment in the form of a b^cfo^ transmission medium, such as a common 

flowchart wherein the partition boot sector is modified to be telephone ^ L1 Telephone line LI couples the client 

loaded with the agent. ^ computer ^ to ^ host mon i t0 ring system C and the host 

FIG. 14D is an illustrative embodiment in the form of a computer 3 through Public Switched Telephone Network Bl 

flowchart wherein the agent security system is ROM BIOS (Telephone Company). The host computer 3 notifies the 

Dase d- appropriate parties C3 (owner O, law enforcement agency, 

FIGS. 14E, 14G are portions of an illustrative embodi- or monitoring company) of the status of the client device A 

ment in the form of a flowchart showing the agents' work 45 via suitable communication means such as electronic mail 

cycle according to an embodiment of the invention. Nl, fax N2, telephone N3 or pager N4. Host monitoring 

FIG. 14F is a portion of an illustrative embodiment in the system C also identifies and can filter incoming calls CI, and 

form of a flowchart showing the agents' work cycle for the provide processing, auditing and communication functions 

Internet application. C2. 

FIG. 14H is an isometric view, partly diagrammatic, of the 50 In another embodiment of the invention cablevision 

physical structure of a computer disc. device A is connected to cablevision network B2 via cable 

FIG. 15 is a schematic showing an illustrative embodi- U ^ ^ blc 12 forther connects ^blevision network B2 

ment of the encoding/decoding method whereby the moni- to me host moQ1 t torm S C . 

toring service would have to subscribe to 60 telephone In another embodunent of invention laptop computer 

numbers. 55 A3 is connected to radio tower B3 via radio frequency (RE 7 ) 

in^ tcA ■ u *• u ii . i • • transmissions L3. These RF transmissions are received by 

FIG. 15A is a schematic showing an illustrative embodi- , . c . . . . . 0 J 

_ . ^ ,- ij «- f. . . . satelhtc dish S at the host monitonng system C. 

ment of the encoding/decoding method whereby the mom- f # . , 4 r,. . , , . . . 

tnrinrr pan>i/u> nrAuM L.„ a tw. u ♦ mX.i u 1° another embodiment of the invention electronic device 

toring service would have to subscribe to 300 telephone * A - . • 4 • n>« n* • i t a 

numbers connected to satellite B4 via microwave signal L4. 

60 Microwave signal L4 further connects satellite B4 to satel- 

FIG. 16 is a drawmg showing some elements which may Ute dish s at ^ host mon it 0 ring system C. 

be mstalled in conjunction with a PC. , Q yet mothsT embodiment of the invention client com- 

FIG. 17A is a drawing showing ID number that are puterAl is connected to private network (such as a LAN) BT 

associated with elements which may be installed in con- winch is connec ted to a global network such as the Internet 

junction with a PC. 6S 55 v ^ leased Iine^I^"fhe connecUon CetweTn client 

FIG. 17B is a high level flow diagram showing steps used computer Al and private network B7 can be provided 

by an agent tracking associated element ID numbers. through wireless connection L8. Leased lines L5 and L7 can, 
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according to one embodiment of the invention, transmit data invention, the dialed numbers provide in encoded form the 

to and from client computer Al digitally. Host computer 3 . unique serial number of the client computer. Host computer 

is also connected to the Internet B5. In an alternative 3a decodes the encoded serial number for comparison 

embodiment of this global network or Internet application, against a list of reported lost and stolen computers stored in 

client computer Al can alternatively, or simultaneously, be 5 hard disk 5. 

coupled to the Internet B5 through modem M which con- In an illustrative embodiment of the invention, the hard 

nects client computer Al to telephone line LI. Telephone disk controller 4 may comprise memory control boards 

line LI connects to Public Switch Telephone Network manufactured by Seagate Tech under the designation Hard 

(PSTN) Bl which provides access to Internet provider B6 Disk Controller. The hard disk controller 4 is particularly 

(such as AOL, Netcom, etc.) via telephone line L6. Internet 10 suitable to control the illustrative embodiment of the hard 

provider B6 provides access to Internet B5 via leased line disk memory 5 manufactured by Seagate Tech under their 

L7. Alternatively, client computer Al may be linked direcdy designation ST-251. 

to Internet provider B6 via wireless communication linkL9. Similarly, the Internet monitoring subsystem 9y is com- 

Although this aspect of the invention is described in the prised of a host computer 36, hard disk controller 9e, hard 

context of the Internet, it will be understood by one of 15 disk % CRT 9g, keyboard 9h, and printer 9i The host 

ordinary skill in the art that the application of this invention computer 3b is coupled to a suitable display device such as 

to any currently existing of future global network is con- CRT monitor 9g t keyboard 9h, or printer 9L 

templated herein. Further, although the Internet aspect of Leased line 9k connects host computer 36 to the Internet 

this invention is described and illustrated with respect to 9;". Client computer 10 is connected to modem 9 via serial 

client computer Al it should be understood that the Internet 20 port 96. Modem 9 and host computer 36 may be connected 

application is readily applicable to the other described to the Internet 9/ by an Internet provider 9o which uses a 

devices (including laptop computers, cablevision networks, communication link such as Serial Line Interface Protocol 

cellular telephones, personal digital assistants, and other (SLIP), or Point to Point Protocol (PPP). Alternatively, or 

electronic devices). simultaneously, client computer 10 may be connected to the 

Referring to FIG. 2, the host monitoring system C has two 25 Internet 9; through private network (LAN) 9p having gate- 
monitoring subsystems: telephone monitoring subsystem 9x way to the Internet or the equivalent. In alternative 
and Internet monitoring subsystem 9y. Telephone monitor- embodiment, client computer 10 may be linked to Internet 
ing subsystem 9x monitors information transmitted via tele- provider 9o and private network 9p via wireless links L9 and 
phone line 1 from client computer 10 which has an agent L8 respectively. For illustrative purposes, the communica- 
installed thereon. Internet monitoring subsystem 9y mom- 30 tion link is a SLIP link. The Internet monitoring subsystem 
tors information transmitted via the Internet 9j from client 9y sends and receives data packets from client computer 10 
computers 10 which have agents installed thereon. - v over the Internet 9j. 

Telephone monitoring subsystem 9x includes voice board Domain Name Service (DNS) queries from the agent that 

2, host computer 3a, hard disk controller 4, hard disk 5, CRT are transmitted through the Internet 9j are received as input 

6^ keyboard 7, and printer 8. Host computer 3a is coupled to 35 to the host computer 36. Host computer 36 extracts the host 
a suitable display device, such as CRT 6, keyboard 7, and^ name from the DNS query, and then extracts and decodes the 

^printer 8. The keyboard 7 permits the operator to interact agent identification (serial number) from this host name, 

with the host monitoring system C. For example, the opera- Host Internet monitoring computer 36 uses the decoded 

tor may use keyboard 7 to enter commands to print out a log , agent identification for comparison against a list of reported 

file of the clients that have called into the system. The host 40 lost and stolen computers stored in hard disk 9£TheJntemet 

computer 3a illustratively takes the form of an IBM personal and DNS queries are discusse d in" more detai l.below. 

computer. The source codes for the host monitoring system According to one embodiment of the invention, the 

C, in Visual C++ by Microsoft, are disclosed in copending unique identification associated with each electronic device 

application Ser. Nos. 08/826,098 and 08/558,432 and are can be an Electronic Serial Number (ESN). These ESN 

incorporated herein by reference. 45 codes can comprise a string of alphanumeric characters that 

Telephone line 1 is connected to the host computer 3a by can be encrypted and encoded. The ESN can be generated 

a voice board 2 which is adapted to receive and recognize randomly by a central delegating body to assure that each 

the audible tones of both caller ID and dialed numbers electronic device has an ESN that is unique. The ESN can be 

transmitted via the telephone line 1. Client computer 10 is permanently associated with an agent security system to 

connected to modem 9 via serial ports 96. Host computer 3a 50 enable the unique identification of the electronic device in 

is connected to voice board 2 via data bus 2a. The modem which the agent is installed. 

9 and voice board 2 are connected to telephone line 1 which The agent is a software program such as a terminated stay 

is routed through Public Switched Telephone Network resident program, VXD (Virtual Device driver program), 

(PSTN) 9c in accordance with a conventional telephone application program (such as Windows service or Windows 

system. Client computer 10 and modem 9 form a first 55 NT service), or a file filter program. The Agent is installed 

telecommunication station, while computer 3 and voice on hardware, software, or firmware. Some alternative meth- 

board 2 form a second, or remote telecommunications ods of installation are described in co-pending U.S. appli- 1 

system. The host monitoring system C sends and receives cation Ser. No. 08/558,432 which is hereby incorporated by 

^ data packets from client computer 10. reference. Once the Agent is installed it will report its 

Ring signals are received on phone line 1 as an input to 60 identity and its location to the host after specified periods of 

voice board 2. In an illustrative embodiment of the time have elapsed, and upon the occurrence of certain 

invention, voice board 2 may take the form of the DID/ 120, predeterminedconditions. This is further illustrated in 

DTI/211 , and D/12X voice boards manufactured by Dialogic co-pending U.S. application Ser. No. 08/558,432. 

Corporation. The voice board 2 is operative to recognize the Referring now to FIG. 2, once the Agent is installed and 

ring signal. Then it receives the caller ID and dialed numbers 65 running it will periodically (every four hours) report its 

and converts them into corresponding digital signals. As. identity and location on the Internet 9j to the Internet 

explained in greater detail below, in one embodiment of the monitoring subsystem 9y. The Agent can also concurrently 
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report its identity and location to the telephone monitoring 
subsystem 9* through PSTN 9c after specified periods have 
elapsed, and upon the occurrence of certain pre-determined 
conditions. 

Internet and DNS Queries 

The Internet is a collection of networks linked together by 
IP routers and high-speed digital links. Computers which 
have access to one of these networks can run Internet 
applications to send and retrieve digitally recordecTfiles such 
as audio and video files. Some of the popular Internet 
applications are Netscape (used to surf the web), Eudora (for 
e-mail), Telnet_ (for logging on to anot herjcomputer^ping 
(Internet utility foFchecking the status of a particular 
machine). These Internet applications can be run simulta- 
neously. Thus, a computer can be running client programs 15 
such as Eudora ~arTd"NetscapeWd~at the" same time operate 
as an FTP Server (File Transfer) for other clients that want 
to transfer files. The applications share the same communi- 
cations links to the Internet and computer resources (CPU 
and memory). Thus, multiple applications can simulta- 20 
neously run without interfering with each" other. There is, 
however, a resultant diminishing effect on performance. The 
agent of the instant invention would have virtually no effect 
on the performance of other applications since it transmits 
such a small data packet. v 

rEach computer linked to the Internet has a unique.Internet 
host name/IP address. Computer networks comprising one 
or more of these computers are ajs^giyen^names to form, a 
hierarchical naming structure. For instance, the web site for 
IBM is "www.ibm.com." The prefix "www" is the name of 
the computer (server) which is attached to the ibm.com 
network. Addresses could be coded using numbers, but this 
would make adrruh^traHorTof the Internet extremely diffi- 
cult. Instead, a method providing for the mapping of Internet 
host names to network addresses was implemented. This L 
mapping system is the Domain Name System (DNS ). JUs.a 
distributed, hierarchical administrative system. At the top of 
the hierarchy is the root domain containing the top-level 
domains (com, edu, net, ca, us, etc.). At the bottom end is a 
domain name such as cs.berkeley.edu. which corresponds to 
the computer science department of the University of Cali- 
fornia at Berkeley. Each domain has more than one author^ 
tative server that can map its Internet host name to its IP 
(numerical) address. * 
If a user wants to access the site at www.psmith.cs.ber- 
keley.edu from the address pliving.absolute.com, the user 
would first input www.psmith.cs.berkeley.edu. into his web 
browser. T he web brows er wo uld then send a_DNS query to 
the absolute.com authoritative server to determine if the 
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contacted to link a user with his desired Internet site. As 
explained -in more detail below,, the traceroute- routine pro- 
vides a listing of all IP routers used to enable communication 
between a client and host. 
Functions of the Agent 

The Agent may be implemented in the firmware or 
software of any electronic device, such as a computer. 
Alternatively, the Agent may be implemented in any com- 
ponent of a computer, as with an electronic component such 
as the DSP in a modem or the CPU in the computer. 
Furthermore, the functionality of the Agent may t imple- 
mented in the circuitry of any hardware device capable of 
establishing a communication link through sending and/or 
receiving packets of data. 

One of the important functions of the agent is to contact 
the host monitoring system C to report the identity, location, 
and other information relating to its associated client com- 
puter 10. The agent has to determine the appropriate time for 
it to call the host monitoring system C. The agent can contact 
the host monitoring system C through the PSTN 9c con- 
necting to the telephone monitoring subsystem 9x, or 
through the Internet 9; which connects the Internet moni- 
toring subsystem 9y. Thus, the agent can communicate with 
a host monitoring system C using either the Internet or the 
PSTN techniques. Alternatively, the agent may rely concur- 
rently on both techniques. 

FIGS. 3-1 and 3-2 is a flow chart of the agent work cycle. 
This work cycle describes the method by which the Agent is 
loaded when the client computer 10 is initially turned on or 
reset, and the manner in which the operating system and the 
agent run concurrently. In this illustrative embodiment, the 
Agent is embedded in software. Once the client computer 10 
is powered on 11, it performs a power on self-test (POST) 
12. The POST tests the system hardware, initializes some of 
the devices for operation, and loads the master boot record 
(MBR) 13. Since the MBR was installed with an Agent 
subloader, the subloader is loaded into memory 14 and 
executed. The subloader* s first task is to load the Agent into 
memory 15 (which is discussed in detail below in reference 
to FIG. 5.) Then the subloader loads the operating system 
(OS) into memory 16 and returns control to the operating 
system. Now both the operating system 17 and the Agent 18 
are running simultaneously, 
a. PSTN 

In the PSTN application, once the Agent is running 18, it 
will determine the appropriate time to call the host 19. The 
time period in which the Agent is waiting for the appropriate 
time to call the host is the "active" period. The Agent will 
only call the host when a pre-defined time period has 



desired address had been recently resolved (DNS resolutions 50 elapsed, or when a pre-determined event has occurred which 



are cached to enhance the performance~60 hTDNSIsystem). 
If tKelDsolute.com DNS server cannot resolve misaddress, 
then jfie next DNS server up the chain is checked (the DNS 
s erver at' the "com" leve l). Kjhat^bighecleveLseiyer A also 
cannot resolve the address, then the root server directs the 55 
process down the chain to the top-level "edu" DNS server. 
If the "edu" DNS server cannot resolve the address, then the 
DNS server at berkeley.edu is contacted. Ultimately, a DNS 
server is found that can determine the appropriate IP address 
based on the Internet host name. The IP address is provided 60 
to the web browser to enable communication with www.p- 
smith.cs.berkeley.edu. 

Once the desired IP address has been determined, packets 
of data can be sent across the Internet through IP routers. 
These IP routers can read the numerical addresses and 65 
determine where to send each packet. Each IP router has a 
unique IP address. Typically, several IP routers need to be 



triggers the client to contact the host. Every one-eighteenth 
of second the Agent compares the current date and time with 
the date and time that the Agent is due to call the host. If the 
Agent determines that it is time to call the host it will transfer 
to "alert" mode. 

In alert mode the Agent will attempt to call the host 
eighteen times per second until it is successful. Once in alert 
mode, the Agent does a thorough search within the computer 
to find free (not currently being used by any running 
application) communication equipment 20. In an illustrative 
embodiment, the communication equipment comprises a 
modem 9. It is contemplated herein that different commu- 
nication mechanisms (i.e., modem, satellite link, RF Mnk. 
etc.) can be provided at several of the communication ports. 
In such a scenario, the Agent would poll the communication 
ports (corresponding to the different communication 
mechanisms) to find free communication equipment. If the 
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Agent fails to find any free equipment, then the Agent will the Internet communication links that were used to connect 
abort its attempt to call the host and repeat the cycle 18 the client computer to the. host. These Internet communica- 
within one-eighteenth of a second. However if the Agent tion links will assist the host system in tracking the client 
locates free communication equipment, it will call the host computer. The IP address of the source of the DNS query is 
21. Upon receiving a call from the client computer 10, the 5 sent to the host "withirf the~DNS~query. However, if the 
host examines the Agent identity, which according to the source of the* query is transmitted through a "proxy" server, 
preferred embodiment is the serial number of the client then the IP address of the client computer (which may not be 
computer, and determines if a connection should be estab- unique since it may not have been assigned by the InterNIC) 
lished 22. The host establishes a connection when the serial will likely be insufficient to track the location of the client 
number of the computer contacting the host matches an 10 computer. In such a scenario, it is necessary to determine the 
entry on a list of reported lost or stolen computers. In an addresses of other IP routers that were accessed to enable 
alternative embodiment, this call-filtering feature is elimi- communication between the client and the host. These 
nated and the host system establishes a connection whenever addresses and the times that they were accessed are corn- 
there is an incoming call. The list of reported lost or stolen pared with internal logs of the proxy server that record its 
computers is maintained within the host monitoring system 15 clients ' Internet access history. In this way, the client can be 
C. If the host does not accept the call then the Agent will not uniquely identified and located. Additionally, the transfer of 
call back until the next appropriate time (after predetermined the Internet application into "alert" mode is a condition that 
time period has elapsed) 18. If the host accepts the call, then triggers the transfer of the PSTN application to "alert" mode, 
the Agent will send the host its encoded identity (such as its The system remains transparent to an unauthorized user 
ESN), location (caller ID), any relevant serial numbers of 20 via implementation of well-known deflection methods, 
computer components, such as CPU, hard drive, BIOS and Attempts to read or write to the location where the Agent has 
any other desktop management interface (DMI) and any been installed are deflected in order to prevent discovery of 
other pertinent information such as local date and time 23. the agent. When read attempts are made to the Agent 
The Agent then checks if the host has any data or commands location the system generate meaningless bytes of data to be 
for the client 24. If the host has no data or commands to be 25 returned to the user. When writ attempts are made to the 
sent, then the Agent will terminate the call and repeat the location where the Agent is installed, the client computer 
cycle 18. Otherwise, the host will send the data or com- accepts the input data and informs the user that the write has 
mands 25 before it terminates the call, and returns to been successful. However, the data is not really stored, and 
"active" mode 18. This work cycle is described in much thus the Agent is preserved. The Agent, in order to remain 
greater detail below with reference to FIGS. 14E, 14F and 30 hidden to the user, will not interfere with any running 
14G. applications unless designed to interfere. 

In the Internet application, which can run alone or con- Detailed Operation of Agent Work Cycle 

currently with the PSTN application, the Agent initiates a Referring to FIG. 5, the Agent startup and loading 

caJULtQ-meJic^-at-relatively-sh sequence is described. The computer 10 is powered on and 

According to the preferred embodiment, in its "active" mode 35 the loading sequence begins 700. As is well known in the art, 

the Agent calls the host every four hours 18a The Agent the machine's start-up ROM procedure 701 in the computer 

uses the current time and the unique Agent identification to 10 begins when the power is turned on. This process 

encode an Internet host name IHb. The Agent then forms a supervises the booting up and loading of the operating 

DNS request using the encoded Internet host name 18c. The system of the computer. It performs the power-on self-test 

Agent sends this DNS request to the host through the 40 (POST) 702, in fact POST is carried out on every reset of the 

Internet lSd If the agent's attempt to send the DNS request system, including the time when the power is first turned on. 

to the Internet times out 18A after a predetermined time This test has two purposes: it performs a quick test 703 of 

period has elapsed, the Agent will sleep for one minute and the basic elements of the system; and it initializes the major 

then repeat the cycle from step l&b. If the call fails due to hardware components for use. POST tests all of the ROMs 

another error (such as the absence of Winsock facilities 45 on the system board by performing a checksum. This test 

which enable communication with the Internet, and/or the adds together all of the bytes in the ROM module. As is does 

failure of the computer to be configured for TCP/IP the addition, it discards any carry from the 8-bit result. If the 

communication) ISe then the Agent will repeat the cycle final result is zero, the ROM passes the test. The initializa- 

four hours later 18a. In this way, the Agent inherently checks tion is done immediately after POST, it checks for new 

for the existence of an Internet connection. 50 equipment and extensions to ROM 704. If it finds any 706, 

After sending its DNS_request, the Agent waits for a it momentarily turns control over to the ROM extensions so 

response. Upon receiving a valid response from the host 18e, that they can initialize themselves. By design, the ROM 

the IP address is extracted from the response and compared Agent is a ROM extension, therefore its initialization routine 

against a reference IP address 18/ In this illustrative will receive control 707 from the computer during the 

embodiment of the invention the reference IP address is 55 machine's start-up ROM procedure. 

"204.174.10.1". If the IP address equals "204.174.10.1" then Once activated the Agent takes control of the whole 

the agent's mode is changed from "active" to "alert" on the computer 708. If it determines that it should call the Host 

Internet side 18g. The host will send this reference IP computer, it follows the processes described in reference to 

address only when it has determined that the Agent identi- FIGS. 4A-1, 4A-2, 4B and 4C. Basically, it finds a free 

fication matches one of the entries on a list of reported lost 60 communication port, establishes a communication link to 

or stolen computers stored at the host. If the IP address the Host, sends its identity then relinquishes control back to 

extracted from the host response does not equal the machine's start-up ROM procedure. After POST ended 

"204.174.10.1" then the Agent remains in active mode and 713, the machine's start-up ROM procedure loads the oper- 

does not call the host for another four hours. ating system from disk 714, and passes control to it 715. 

As will be explained in more detail below, when the Agent 65 Referring to FIGS. 4A-1 and 4A-2, a flow chart is 

goes into "alert" mode in the Internet application, the Agent provided which describes one embodiment of the Agent 

initiates a traceroute routine which provides the host with work cycle in accordance with this invention. The Agent 
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looks for communications ports be used. There are two types 
of communications ports: the old. by popular, communica- 
tions ports are called COM; and the new PCMCIA ports 
called PCMCIA. Since COM is the more popular than 
PCMCIA, the Agent first looks for COM communications 
ports 322-338, if no COM communications ports are found 
then it will look for PCMCIA ports 338-350. To look for 
COM communications ports, the Agent checks all COM port 
addresses using COM port address table 333 to see if they 
exist 335. The first one encountered will be dynamically 
hooked 336 into by swapping the appropriate interrupt 
handler and unmasking the appropriate interrupt request 
line. If an error occurs, the next port will be checked 338, 
334 until either a valid COM port is found or the COM port 
address table has been exhausted 338. If the COM commu- 
nication port responds properly, then attempt to check if a 
modem is currently connected to this COM communications 
port via issue of the Hayes compatible AT command 339. if 
the modem does not exist, then the next port will be checked 
338. If the modem exists it will respond with an "OK" to the 
AT command 341. 

If no COM ports are found or if no modems are connected 
to COM communications ports and if BIOS supports PCM- 
CIA modem 340, the Agent attempts to locate PCMCIA 
communications ports 340-350. The Agent searches for 
PCMCIA communications ports and PCMCIA modems in 
steps 342-350 in a fashion similar to the way it searches for 
COM communications ports 322-338. If no PCMCIA sup- 
port is enabled 340 or no PCMCIA ports are found, the 
Agent will stop 358. 

After a functional communications port and a modem are 
fount regardless of their type the Agent will attempt to 
initialize the modem by sending it modem initialization 
strings 351-353 using strings from a table of initialization 
strings. If the modem does not respond with an "OK" 355, 
this indicates that the initialization attempt failed 356. If the 
initialization attempt failed, then the next set of strings in the 
table will be tried 354, and so on until a valid set of 
initialization strings is found, or the modem initialization 
string table is exhausted 356 at which point, the Agent will 
stop 358. 

' During the system boot process, when the Agent stops at 
358, it relinquishes control back to the machine's start-up 
ROM procedure (see step 715 in FIG. 5). 

FIG. 4B describes in detail how the Agent detects whether 
PCMCIA support is enabled. It does this by checking to see 
if the computer is using a PCI BIOS 387, and the Cirrus 
PD6729 PCI Controller chip 389. If these features and chip 
set are detected, the Agent checks for port conflict 390 and 
wake up the Cirrus PCI Controller 391. The Agent makes an 
I365_IDENT call to PCMCIA Controller to identify the 
chip further 392. Such I365_IDENT call is also made to the 
PCMCIA Controller even if the PCI BIOS and Cirrus PCI 
Controller are not present. The PCMCIA Controller chip is 
then initialized 393, if the chip is initialized successfully 
then PCMCIA support is enabled 395, otherwise PCMCIA 
support is not enabled 388. Once a valid and available 
communications port has been found, and it has been 
verified that a functional modem is associated with that port, 
the system will attempt to dial out to the remote host 357 
(see also 370 in FIG. AC). 

Referring to FIG. 4C, the Modem Call routine 370 is 
illustrated. A dial string table 372 is used 371 to attempt the 
call since a PBX or switchboard etc. may need to be exited 
via a dialing prefix. If successful 373-374, the CONNECT 
result code (numeric or letters) from the modem will be 
received by the client 374. The Agent also decrements the 



offset in the dial string table so that the next time the 
. machine is powered on or reset, the current dial string will 
be used. The host will send a signal ("Query") to the client 
requesting its serial number. If the client does not receive the 

5 "Query" signal 379 it will abort 384, reset the communica- 
tion port and modem 385, and repeat the cycle 334, 343. If 
the client receives the "Query" signal, then the serial number 
is sent 380. At this point, telecommunications have been 
established and the agent-host transaction begins. If the 

10 transaction succeeds, the resultant state will be "active", 
otherwise it will be "alert". If a "NO DIALTONE" or 
"BUSY" event occurs 375-376, the oflset in the Dial String 
Table will be incremented 378 so that the next dial string 
will be attempted the next time the machine is powered on 

IS or reset. 

The Agent to remote host transaction involves the sending 
of the computer serial number 380 via the telephone com- 
pany or carrier service. The "Caller ID" is implicitly 
received by the remote host (typically during the initial 
20 telecommunications event "RING"). Upon the occurrence of 
the event "CONNECT", the host sends the client a vendor 
specified message called "QUERY" 379 which in effect tells 
the client to send its~se rial n umb^380r TOs~involves th e 
host acknowledging that it has received 381 and processed 
25 383 the serial number thereby validating it The client will 
attempt this call a pre-defined number of times 382 before it 
gives up (disconnects, cleanups, unhooks port 384, resets 
communication port and modem 385, repeats the cycle 300). 
At this point, the modem disconnects 384, and any other 
30 cleanup necessary occurs (such as changing the date of the 
last call to the present). Finally, the resultant state will be 
reset to "active" and the Agent will remove all traces of it in 
memory to avoid being detected by unauthorized users. The 
Agent then stops 386. During system start-up, when the 
Agent stops, the machine's start-up ROM procedure con- 
tinues to scan for the next RON extension (see step 712 in 
FIG. 5.) 

If the computer that called in was not reported stolen, no 
further action with regard to the computer system that called 
in will be taken. If, however, the serial number transmitted 
to the remote Host matches one of the serial numbers on a 
currently valid list of stolen computers, further processing 
will occur to facilitate the recovery of the missing equip- 
ment. Such processing includes, but is not limited to, placing 
45 either an automatic or manual call to the local authorities in 
the vicinity of the missing equipment or the owner of such 
equipment. 

Instead of making a modem call via the PSTN, the BIOS 
Agent may be configured to communicate with the host 

50 monitoring server via the internet in a similar fashion as 
explained in reference to FIGS. 3-1 and 3-2. 
Referring to FIG. 3G, a dial string table 140 is used 139 to 
attempt the call since a PBX or switchboard may need to be 
exited using a dialing prefix. The dial string is sent 141, and 

55 if successful, the CONNECT result code (numeric or letters) 
from the remote host server will be received by the client 
143. The host will send a signal ("Query") to the client 
requesting its serial number. If the client does not receive the 
query signal 148 it will abort 149 and repeat the cycle 117. 

60 If the client receives the "Query" signal, then the serial 
number is sent to the host 151. At this point, telecommuni- 
cations have been established and the client-server transac- 
tion begins. If the transaction succeeds, the resultant state 
will be "active", otherwise the state of the PSTN application 

65 will still be in "alert" mode. If, for some reason, a "NO 
DIALTONE" event happens 144, a delay will occur 147 and 
the next dial string 141 will be attempted again. If the line 
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is "BUSY" 145, then a redial attempt 146 will occur using Once the a gcat is in alert mode it initiates a traceroute 21 3 

the same dial string for a predefined number of attempts or. . to provide the host w ith _the .Internet^co mmu nication links 

until a telecommunications connection is made, whichever wmch'^onriecfthe client computer to the host. The transfer 

occurs first. If there is no connection made pursuant to the 0 f the Internet application to alert mode also triggers the 

sending of the dial string and if no dial tone or busy signal 5 transfer of the PSTN application to alert mode. Once the 

is received, then the call attempt is aborted 142. psTN fc {n a , ert mode> mc agent attcm pts to call the host 

The client to remote host sender transaction involves the telephone monitoring subsystem 9x to report its status 

sending of the computer serial ^number 151 via the telephone (identificatioa> location , and otber information) through the 

company or earner service. Hie Caller ID is imphcitly ^ times ^ {{ fa successfuL 

received by the remote server (typically during the initial ^, c s n * A - e u *u ♦ 

telecommunications event knowi as "RING") Upon the 10 ^ foUowm S * a ° f how the traceroute 

telecommunications event called "CONNECT', theVemote ™ lmc °I* rates wtthl ? the , lDternel t0 Provide the Internet 

host server sends the agent security system client a vendor hoks wmch connect the cbent com P uter to the host - The 

specific message called "QUERY" 148 which in effect tells Internet is a collection of local area networks joined by IP 

the client to send the serial number. This step is particularly routers. These IP routers read the numerical destination 

significant in an alternative embodiment of the invention 15 address of the IP packet sent by each computer linked to the 

wherein the serial number is not sent via the dialed numbers. Internet and decrease the Time to Live (TTL) field (used to 

The step of sending this serial number 151 requires the age a packet) of the packet before sending it to the next 

server to acknowledge that it has received 152 and processed appropriate router. However, if the TTL field is zero, the 

154 the serial number (validating it). If the appropriate router will return the packet to the source computer with a 

acknowledgment is noLreceived , the client computer will 20 fail error code. 

attempt to send its serial number a pred efined num ber of A traceroute is performed by doing multiple pings from 

times 153 before it gives up (wHereby it disconnects, cleans the computer 10 to the host Internet monitoring subsystem 

up, unhooks port 127, 155 and returns to "alert" mode 156). 9y. The TTL field is incremented from one for each ping. The 

Once the server has acknowledged that it has received and first ping is sent with a TTL value of one. It will fail at the 

processed the serial number and any other information sent 25 first router and the first router address will be determined 

by the client, the modem disconnects 160. Any other cleanup since the IP packet which will indicate the address of the first 

necessary (such as changing the date of the last call to the router will be returned to the source (client) computer. The 

present) will also be done here 160. Finally, the resultant second ping will then be sent with a TTL value of two. If this 

t state will be reset to active 161. call fails then the second router address will be determined. 

If the serial number of the computer that called in does not 30 This process is continued until the ping succeeds. By saving 

match with any of the reported tost or stolen computers, no each router address, a trail of routers linking the client 

further action will be taken. If, however, the serial number computer with host Internet monitoring subsystem 9y is 

transmitted to the remote host server matches one of the created. This route, representing the sequence of Internet 

serial numbers on a current list of lost or stolen computers, communication links between the computer and the host, is 

further processing will occur to facilitate the recovery of the 35 then transmitted to the host Internet monitoring subsystem 
missing equipment. Such processmg^dudes,_but„is_noL. 9y which saves this information on disk, 

limited to, automatically bTmahualiy placing a call to the The client computer then performs an arp to resolve the 

local authorities in the vicinity of the missing equipment, or mac address which is transmitted to the server. This iofor- 

the owner of such equipment. mation can be used to help track the computer as a mac 

Instead of making a modem call via the PSTN ._the.BIOS 40 address is a unique number stored in Ethernet LAN cards. It 

Agent may be configured to communicate with the host- is possible for an ip address to change, but the mac address 

monitoring server via the Internet in a similar fashion as is constant for the life of the Ethernet LAN card, 

explained in reference to FIG. 2. First, the "owner" of the source IP address (corresponding 

Operation of Agent Work Cycle Using a Global Network to a certain router (LAN) used) will be determined. This is 

Referring now to FIG. 14F, a flow chart is provided which 45 accomplished by presenting the linking information 

describes in detail the background process operations relat- (complete linking information between the client computer 

ing to the Internet application. The background process and the host is provided pursuant to the traceroute) to the 

wakes up every four hours 200. It uses the current date and appropriate Internet governing body, such as InterNIC, 

time together with the agent identifi cation which is responsible for delegating IP addresses. According 

encode an Inter net host name.20 5.-Ihis.encodediiost,name 50 to the preferred embodiment, this query can be performed by 

is used in fomingj,DNS,query«206«to-be-senUto=the»host sending a telnet command to the InterNIC including the 

Internet monitoring subsystem Sty. After sending this DNS address that needs to be queried. 

query to the host Internet monitoring subsystem 9y through Once the owner of an IP address is determined by 

the Internet 207, the agent waits for a response 208. If an querying the InterNIC, the retrieval process can continue, 

error is found 208a due to a missing DLLor^ poor TCP/IP 55 The owner, which may be an independent service provider 

configuration, or an error other tha n a time out, then the agent (such as AOL, Netcom, etc.), is contacted and the date/ 

will wait four hours and repeat the cycle 200 Jf no response stamps saved by the Internet monitoring subsystem 9y are 

is received after a predeterminedTime penodhas^lapsed, compared with the ISP's server logs which are used for 

the agent will sleep for one minute 209 and then send billing. These logs generally contain extensive details relat- 

another DNS query 205. Upon receiving a valid response 60 ing to the owner, time, and date that a particular IP address 

from the host Internet monitoring subsystem*9y^tbe Internet was used. These logs may be stored in TACACS or RADIUS 

Protocol (IP) address is extracted 210. If this IP address databases that are created from Cisco or Livingston termi- 

equals "204.174.10.1" 211 then the background process sets nals respectively. Thus, the location from which the client 

the agent's mode to alert 212. If the IP address does not computer called the host through the Internet may be deter- 

equal "204.174.10.1" 211, then the agent remains in active 65 mined. 

mode and does not attempt to send another DNS query to the If the DNS query fails, or the returned address is 

host for four hours 200. 204.174.10.1, or the traceroute fails the client attempts to 
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establish a web session with the absolute web server. It first Installing and Loading the Agent 

tries to establish the session directly,- then it -tries any - The. agent is installed during a typical boot up sequence to 

available web proxy server. the operating system of a computer. FIG. 14 shows a boot-up 

If it cannot establish a web session, it tries to establish an process for a typical personal computer. It should be under- 

ftp session. The client first tries to establish the ftp session 5 stood mat this invention is applicable to other types of 

directly, then it tries any available ftp proxy server. computers and electronic devices presently available or as 

Once a web session or ftp session has been successfully marketed in the future with suitable modifications. The 

established, the sessions are used as secure, encrypted of the invention described below is the process of 

transport sessions. These sessions allow the secure trans- ^stalling the security software onto a portable computer, 

mission of dos commands and data files. 10 ^ melhod of installation is crucial because the software 

The dos commands are executed on the client with the must remain detectable ™ce installed. Furthermore, the 

results returned and displayed on the server. This facility software should be as difficult as possible to erase. In 

would allow an authorized user to search for files on the s ™mary, the invention achieves these objects by installing 

client, upload those files from the client to the server, and me software m such a maimer that it remains hidden to the 

irreversibly erase the files from the client computer. 15 °P^ ratlQ g such as MS-DOS. 

Referring to FIGS. 14E and 14G, the following is a Four alternative ways of installing the agent security 

detailed description of the agent work cycle with respect to system during the disk boot are illustrated in FIGS, 

the PSTN application. Once the system is powered on 117 14 ^-14D respectively. A conventional boot up method is 

a timer interrupt will occur 18.2 times per second. Every described in detail in Appendix I. The system can also be 

eighteen timer interrupts, the complementary metal^xide 20 Stalled with MS.SYS or IBMDOS.COM, but these are 

semiconductor (CMOS) real-time clock will be accessed, more dlfficult and less Preferred than the three alternatives 

and the time and date will be stored for comparison with the f ou < ^ load f « P r0 S ram ™D*& 

previous real-time clock access. If the date and/or time described in the Appendix) can be used to install the agent 

changes towards the future, no action will be taken to track bv one 01 morc of alternative installation methods, 

the time displacement. In this way the agent determines 25 ^ a S ent maY be installed in a variety of locations 

whether it is time to call the host 118. Thus if the current date whereby second and third agents can provide back up 

has advanced far enough into the future (past the date and su PP ort for the P runar y a S ent - ^ four IocatlOQS where the 

time to call the host), the agent security system will change a S ent ^ be stalled on the client device are as follows: 

its mode of operation from active to alert whereby calls will 1Tht operating system boot sector— See FIG. 14A. 

be regularly attempted (eighteen times per second) until a 30 2. A hidden system file such as IO.SYS for MS-DOS or 

call is made and a transaction with the host server has been IBMBIO.COM for PC-DOS--See FIG. 14B. 

completed. If the system time has been backdated, a modal 3. The partition boot sector — See FIG. 14C. 

change from active to alert will occur. This feature safe- 4. The ROM BIOS — See FIG. 14D 

guards against a thief disabling the agent by backdating the Referring to FIG. 14A, the agent loading sequence is 

client so that the agent does not call the host for a long period 35 described for loading the agent on the operating system boot 

of time. sector. The computer 10 is powered on and the loading 

The communications ports are checked 119-125 (via a sequence begins 64. As is well known in the art, the 

port address table 120) to see if they exist. If the first one computer 10 performs an initial testing routine to assure that 

encountered is not in use 123, it will be dynamically hooked all components are working properly 65. Illustratively, the 

126 into by swapping the appropriate interrupt handler and 40 program incorporated is the IBM-PC compatible Power-On 

unmasking the appropriate interrupt request line. If an error Self Test (POST) routine. The partition boot sector is loaded 

occurs, or if a port is in use, the next port will be checked 66. Next the operating system boot sector with the installed 

124 until either a valid port is found or the port address table agent is loaded 67. In ao effort to maintain the transparency 

has been exhausted 125. If the port address table is of the agent, the CPU registers (corresponding to the current 

exhausted then the agent waits X seconds before trying to 45 state of the computer) are saved 68. Before the agent is 

find an unused port again. Appropriate cleanup routines installed there is a check for a Remote Procedure Load 

restore "swapped" ports to their initial settings. (RPL) signature 69. If the signature is present this indicates 

If the communications port responds properly and a port that the agent is already in memory and will not be loaded 
is actually hooked into 126, the system will attempt to again. However, if there is no RPL signature then prepara- 
connect to a modem via issue of the Hayes compatible AT 50 tion is made to load the agent. First, space is reserved for the 
command 128. If the modem does not exist, that port is agent at the ceiling of conventional memory 70. Next, 
unhooked 127, and the next port is checked 124. If the Interprocess Communication Interrupt (2Fh) is hooked 71, 
modem does exist and if it responds with an "OK" 129 to the which enables communication with other programs. Inter- 
XT command, the system will attempt to initiahze the nipt Eah, which is the disc input/output handler, is hooked 
modem by sending it a modem initialization string 130, 132 55 72. The old timer interrupt is saved, and new hook timer 
(from a table of initialization strings 131). If the modem interrupt is put into place 73. Now the CPU registers are 
does not respond with an "OK" 134, this indicates that the restored 74 in order to maintain the transparency of the 
initialization attempt failed and the next string in the table is system. The original operating system boot sector is loaded 
tried 136. This process continues until a valid initialization 75. The original operating system had been moved to 
string is found 134, or the modem initialization string table 60 accommodate the agent installation. Finally, the operating 
is exhausted 136 (at which point, the routine will delay for system is loaded 76 and running 77 again, 
some seconds then try again from the start by checking for Referring now to FIG. 14B, the agent loading sequence is 
the next available port 121). described 78-91 for loading the agent on a hidden system 

Once a valid and available communications port has been file such as IO.SYS for MS-DOS or IBMBIO.COM for 

found, and it has been verified that a functional modem is 65 PC-DOS. The sequence is analogous to that disclosed above 

associated with that port, the system will attempt to dial out for the operating system boot sector. However, instead of 

to the remote host server 137, 138. loading the agent with the operating system boot sector, the 
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agent is loaded with the operating system file 82 (load porated by reference. In one of the alternative methods of 

modified IO.SYS or IBMBIO.COM) . installation the Agent was disposed on the ROM BIOS using 

Referring to FIG. 14C, the agent loading sequence is hook interrupts and saving and restoring CPU registers. That 

described 92-104 for loading the agent on the partition boot method required these brute force techniques to enable the 

sector. The sequence is analogous to that disclosed above for 5 Agent to be compatible with certain operating systems, 

the operating system boot sector. However, instead of load- Operating system independent Agents are further disclosed 

ing the agent with the operating system boot sector, the agent herein, 

is loaded with the operating system partition boot sector 94. Segmented Agent 

Referring to FIG. 6A, the Agent is implanted in the boot Referring to FIG 7A, an alternate embodiment of the 

sector of the computer's hard-disk 721. The Agent is loaded 10 T^f u 8 7 stem >" de P endeilt B J 0S * described in 

into memory when the computer is turned on or reset 722. £ hich 15 mto two components. The 
One active, the Agent exeLes in memory 723 until the 

computer is powered down or reset. fam £ on Qnl ?53 ^onzl functions, such as asset and 

Referring to FIG. 14D the agent loadmg sequence configllration management, are handled by a High Level 

105-116 is described for loading the agent via ROM BIOS. 15 Co mp o neDt (HLC) that resides on the computer's hard-disk 

The sequence is analogous to that disclosed above for the 754 run from the disk 755. 

operating boot sector. However, the Agent is loaded from the Referring to FIG. 7B, the embodiment of FIG. 7B is 
ROM after the CPU registers are saved 107. At that time the described in greater detail. The SPC 757, upon recognizing 
ROM can take control of the system and load the agent. machine events and at specified intervals, checks to see 
Once the CPU registers are restored 113, the ROM can no 20 whether the Operating System is installed and active on the 
longer load the agenL hard-disk 758. Events that can be recognized include Power 
As is well known in the art, the computer 10 is performs Management events and Plug-and-Play queries such as the 
an initial testing routine to assure that all components are ACPI (Advanced Configuration & Power Interface) adopted 
working properly 65. Illustratively, the program incorpo- DV Microsoft and other developers or SMI (System Man- 
rated is the IBM-PC compatible Power-On Self Test 25 agement Interface) adopted by Intel and others. Power 
("POST") routine. Next, in an effort to maintain the trans- Management events are generated from the hard-disk pow- 
parency of the Agent, the CPU registers (corresponding to crin S down * ^ CPU sw i tc tog or the display 
the current state of the computer) are saved 107. Before the switching on or off. Plug-and-Play queries are received from 
Agent is installed there is a check for a Remote Procedure f"»Opentu« System when it ? identifying devices installed 
Load ("RPL") signature 108. If the signature is present, this 30 m *f m c a ^ me lo f dnvers t0 control those devices. 

indicates that the Agent is already in memory and will not be * *° S ^ * aWc * ™ un * ate ™* ?"L °^ r ^ 

1 a a TI •* .u • r.r»r • i_ System, it determines if it is tune to contact the Server 760. 

loaded again. However, if there is no RPL signature, then j/ does this b cheddn a which is reset tQ a 

preparation is made to load the Agent. First, space is cemm value during bootup and then decremented with each 

re^rvedformeAgentatmeceOingofconventionalmemory check mat ^ performed. Any time the counter reaches 0 

109. Next, Interprocess Communication Interrupt (2Fh) is 35 (zero), the SPC contacts the Server 761. If the SPC is unable 

hooked 110 which enables communication with other pro- to establish a communication link with the Operating 

grams. Interrupt 13/z, which is the disc input/output handler, System, it assumes that a problem exists with the system and 

is hooked 111. The old timer interrupt is saved, and new forces the counter to 0 (zero) 759. The SPC then immedi- 

hook timer interrupt is put into place 112. Now the CPU ately establishes a link to the Server 761 by any of the means 

registers are restored 113 in order to maintain the transpar- 40 discussed before regardless of the amount of time that has 

ency of the system. The original operating system boot elapsed since the last connection. 

sector is loaded 114. The original operating system had been / Once a communication link has been established between 



the SPC and the Server 762, the Server asks the SPC to 
identify itself 763. The SPC responds with the ID of the 
device that is being tracked 764. The Server then sends a 



moved to accommodate the agent installation. Finally, the 
operating system is loaded 115 and running again 116. 

Another configuration the BIOS Agent is shown in FIG. 
6B. The agent is implanted into the computer's BIOS 731 Irequest to the SPC 765 asking that it perform one or more 
and/or bootstrap BIOS. When the computer is turned on or / tasks at a specified future time (such as contacting the Server 
reset, the Agent loads itself into memory and checks for an j again). At the appropriate time, the SPC responds to any 
image of itself on the computer's hard-disk 732. If an image / such request 766. All communications between the Agent 
of the Agent is found, that image is refreshed 733 and run 50 and the Server will incorporate data encryption 767 to 



from the disk 734. If an image is not found, one is created 
on the disk 735. The newly created image is then loaded into 
memory and run from the disk 734. 

Turning to the operating system independent methods, 
referring to FIG. 6C, the Agent is implanted into the com- 
puter's BIOS 741 and runs directly from the BIOS 742. As 
more fully discussed below, variations of the BIOS Agent 
may include implanting the Agent in a DSP of a modem, a 
CPU of the electronic device, a hard wired circuitry or an 



All of the above BIOS Agents may be configured to 



provide an additional layer of security and prevent the 
sophisticated and user from intercepting or transmitting 
messages in an attempt to interfere with device tracking. The 
Server will determine the location of the tracked device with 
whatever means are available through the particular com- 
munication service being utilized. For instance, if a link 
were established over standard phone lines, Caller ID/ANI 
could be used to fix the location, or if a link were establish 
over Internet, the ID address can be used to fix the location. 



integrated circuit in the electronic device. 60 The capabilities of the software instaUed on the hard disk 



would be based upon the needs of the customer and might 



communicate with the host monitoring server via modem include advanced asset management or system administra- 

call and/or internet. tion functions. The hard disk-based components of the Agent 

Variations on Loading the BIOS Agent would perform in a method similar to that of the SPC, 

Four alternative ways of installing the Agent security 65 contacting the Server at specified intervals and transmitting 

system during the disk boot were disclosed in co-pending data back and forth as necessary to complete its scheduled 

U.S. application Ser. No. 08/558,432 which is hereby incor- tasks 769. 
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Alternatively, the SPC may be implemented in the CPU of 
the computer 10, the DSP of the . modem, or in the form 
integrated circuits or hard wired circuits, as more fully 
addressed below. 

The segmented Agent may be configured to communicate 
with the host monitoring server via modem call and/or 
internet. 
Modem Agent 

Referring to FIG. 8A, according to another embodiment 
of the invention, instead of installing the ROM BIOS of the 
computer, the Agent is installed into the Flash ROM (or 
EPROM) 811 or DSP 812 of the computer modem, either on 
a plug-in card or built-in on the motherboard (810) of the 
computer. The Agent can be imbedded into the modem Flash 
ROM (or EPROM 811) or DSP 812 by an installation utility 
that runs on the computer, or it can be embedded into the 
modem Flash ROM or DSP by the manufacturer. The 
Modem Agent can communicate with the Host Monitoring 
System through the PSTN 813 at scheduled times without 
the involvement of the PC processor. Thus, the Modem 
Agent is independent of the software running on the com- 
puter including the operating system. 

The Modem Agent enables a monitored computer to 
communicate to the monitoring server even if a new disk 
drive is installed. This provides a much more secure method 
of tracing the location of stolen computers where modifica- 
tions are made to the computer, before they are used. In the 
case where computers are stripped for parts, the Modem 
Agent will still be able to be located. Integration of the 
Modem Agent onto the motherboard of the computer will 
not allow the Modem Agent to become separated from the 
motherboard, protecting the most important component of 
the computer. 

A. Mod em Hardware Architecture 

ThlT hardware architecture consists of a programmable 
modem either in a plug-in card 820 or a module 830 
integrated onto the motherboard 831 of the monitored com- 
puter as shown in FIG. 8B and FIG. 8C respectively. Plug-in 
card based modems 820 are usually programmable but can 
be removed from the monitored computer. This prevents the 
modems f rom tracking the_main_port ion ^of the computer. 
Modem modules 830 integrated directly onto the mother- 
board can not be removed from the main portion of the 
computer. The modem module 830 is coupled to the CPU 
832 and RAM 833. 

The modem module 830 or plug-in card 820 will contain 5 
a modem chip set 824, 834 that provides the modem 
communication (encoding and modulation)^djnodem cpn- 
troBeTfanctionsrDepenmngW 

ir may "eon tairTa^m^e* or multiple DSPs and possibly a 
microcontroller. The DSP will usually provide the commu 
nication software for encoding and modulation. The micro- 
controller will usually provide the modem controller soft- 
ware but some chips set provide two DSPs for both 
functions. Along with the chip set the modem will contain 
RAM 825, 835, a flash programmable EPROM 826, 836, 
A/D and D/A converters 827, 837 as well as a POT^ 
interface 828, 838. 

The RAM is used by the modem chip set as its main 
memory. The flash programmable EPROM is used to store 
the modem software. A/D and D/A converters with the 
POTS interface allow the chip set to send/receive signals 
over the analog PSTN phone lines. 

While the Modem Agent is described below in connection 
with communications with the host monitoring server via 
modem call, the Modem Agent may be configured with the 
additional and/or alternate function of communicating with 
the host monitoring server via internet. 



B. Modem Agent Software Architecture 
. . The. Modem Agent resides on either a software upgrad- 
able ISA of PCI modem card or a memory mapped/ISA 
mapped modem module integrated on the mother board. 
These modems usually consist of two software entities, the 
controller software 841 and the communications software 
842 as shown in FIG. 8D. The controller software 841 
contains the software that controls the interface between the 
PC 845 and the communications software 842 as well as the 
POTS interface 844. It allows application software to com- 
municate with and control the actions and parameters of the 
communication software 842. 

The communication software 842 contains the modem 
communication functionality that provides the encoding and 
modulation schemes employed during communications. The 
communication software usually runs on a DSP while the 
controller software usually runs on a separate microcontrol- 
ler. However, some modems use a single processor to 
provide both functions. The communications software is 
usually not modifiable and is proprietary to the manufacture 
of the modem chip set. 

A third software entity, the Modem Agent 843, must be 
added to the modem software. The Modem Agent will reside 
on the processor that contains the Modem controller or the 
Flash EPROM or ROM. The Modem Agent will receive 
extended AT commands from the Agent Configuration Util- 
ity 846. These extended AT commands will be proprietary to 
the host monitoring service and will each require a pass- 
word. The Modem Agent will also be able to communicate 
with the host monitoring server directly. This capability will 
be provided by the call management function within the 
Modem Agent. (See FIG. 8E and discussions below.) 

The Modem Agent 843 will run in parallel to the modem 
controller 841 such that no modifications to the manufac- 
turer's software in the modem controller will be required. 
The modem controller will respond to the extended AT 
commands with "ERROR". However, the Modem Agent 
will qualify the error response with an extension response to 
indicate that the command was recognized and executed 
correctly if the syntax of the command and the password are 
40 correct. This will allow the standard modem controller code 
to function as is and still allow the Modem Agent to respond 
to commands. 

Referring to FIG. 8E, the Modem Agent 843 consists of 
three main program components: the command interface 
module 801, the command function module 802, and the call 
management function module 803. The command interface 
module 801 will handle all communications with the PC 
interface, in parallel with the modem controller. This will 
allow the command module to communicate with PC appli- 
cations. Its functions will include receiving/transmitting of 
controller characters from/to the PC as well as AT command 
identification. The command interface module 801 supports 
extended AT modem commands that enable control and 
configuration of the Modem Agent. The extended AT 
modem commands include but are not limited to: set ESN, 
set dial strings, enable monitoring, disable monitoring, 
report status, initiate monitoring call, and set local time. All 
of the extended commands are password protected to pre- 
vent unauthorized access and detection of the Modem 
60 Agent. 

The commands function module 802 implements the 
functionality of the extended AT commands as well as 
functions required to communicate to the monitoring server. 
This could include call initialization, call scheduling, ESN 
identification, status monitoring, mode management, etc. 

The call management function module 803 will provide 
the interface to the monitoring server. It will allow the 
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command module to communicate with the monitoring a. Contact and Communicate with Monitoring Server 

server. Its functions will include receiving/transmitting of . When monitoring is enabled, the Modem Agent calls the 

data from/to the monitoring server and controlling the host monitoring server's phone. The Modem Agent sends its 

modem communication inferface. The call management ESN to the host monitoring server. The host monitoring 

function module 803 contains the Secure Protocol Compo- 5 server tells the Modem Agent when to call again. The 

nent (SPC) of the Segment Agent as described before. Modem Agent calls back at the scheduled time. A state 

C. Modem Agent Functions diagram of the contact and communication mechanism is 

The Modem Agent provides two sets of functions. Firstly, shown in FIG. 8F. 

to communicate with the PC's CPU, a set of extended AT b. Schedule Communications with Monitoring Server 

commands are required. Secondly, to communicate with the 10 The Modem Agent is not able to schedule contact times on 

host monitoring server, a set of functions are required. its own because it *~does~not have access to a "real-time clock." 

1. Extended AT Commands However, the Modem Agent is capable of measuring the 
The Modem Agent supports extended AT commands to: passage of time. Thus, there is a need to initialize the current 

a. Set ESN date and time in the Modem Agent upon power-up of the 
This command allows a configuration application to 15 modem. This function can be provided by the HLC in a 

modify the ESN number that the Modem Agent uses when segmented Agent configuration described before, for 

connecting to the host monitoring server. This command is example. If the modem Agent does not receive from the 

used to configure new Modem Agents as well as change the HLC the current date and time within a predetermined 

ESN when a new number has been assigned to it. interval after power-up, then the Modem Agent will enter 

b. Set Dial Strings 20 alert mode and initiate contact with the host monitoring 
This command allows a configuration application to Server. When the Modem Agent contacts the host monitor- 
modify the number dialed when contacting the host moni- ing server, it will verify the time last set by the Agent 
toring server. This command is used to configure new Configuration Utility. 

Modem Agents with the correct dial-up phone number for c. Prevent Modem Contention 

the host monitoring server as well as modify it if a change 25 The Modem Agent does not interfere with the use of the 

is required. modem by PC applications. Before calling the host moni- 

c. Enable Monitoring toring server, the Modem Agent ensures that the modem is 
This command allows a configuration application to not currently in use. If a PC application starts to use the 

enable the monitoring service of the Modem Agent. This modem, as indicated by the receipt of AT commands by the 

command is used to re -enable monitoring if the service has 30 modem, then the Modem Agent immediately drops any 

previously been disabled. active call and immediately relinquishes control of the 

d. Disable Monitoring modem to the PC. 
This command allows a configuration application to dis- d. Active Alert Mode 

able the monitoring service of the Modem Agent. This The Modem Agent will enter alert mode when it has not 

command is used when the owner of the monitored PC 35 received communications with the Agent Configuration 

wishes to terminate the electronic device trace service. The Utility of configuration application within X minutes. The 

command will turn off the Modem Agent functions and AT Modem Agent will then immediately attempt to contact the 

commands with the exception of the enable monitoring monitoring server and will continue to contact it every Y 

command. minutes until communications from the Agent Configuration 

e. Report Status 40 Utility are received (set absolute time AT command). This 
This command allows a configuration application to mode is to prevent thieves from removing the hard disk or 

report the status of the Modem Agent. reformatting the hard disk to defeat the Agent tracing 

f. Force Contact with Monitoring Server service. 
This command allows an application to force the Modem CPU Agent 

Agent to contact the host monitoring server. This command 45 The Agent may be implemented in a CPU using an 

can be used, for example, to test the Modem Agent con- existing technology in many current microprocessors which 

figuration. allows patching of the microcode. The microcode is the 

g. Set Local Time architectural layer of the CPU which translates an external 
This command allows a configuration application to set macrocode algorithm stored in volatile or non-volatile 

the current time on the Modem Agent. This is to allow the 50 memory into a microprocessors internal execution codes. 

Modem Agent to synchronize scheduled calling times to Referring to FIG. 13A. the microcode patch 90 is formatted 

local time. and encrypted according to each specific chip manufactur- 

h. Set Alert Mode Interval er's specifications. It is uploaded from the BIOS 91 to a 
This command allows the interval of the alert mode (as microcode patch area 93 and/or microcode storage 94 in the 

described before) to be set 55 CPU 92, after reset, during the POST initialization of the 

All commands are password protected. The Modem computer. The microcode patch 90 can implement all the 

Agent is shipped with a default configuration. The password functions of the conventional algorithmic Agent. Referring 

accompanying each command will be calculated from the also to FIG. 13B, the Agent may take a similar form as the 

argument of the command. This will make the AT commands BIOS Agent or the SPC of Segmented Agent described 

more difficult to defeat and will not allow the application 60 before. The SPC in the microcode patch initiates commu- 

communicating with the Modem Agent to become out of nication with the modem 95 asynchronously of the normal 

sync with its password. The calling application must take code stream (i.e., of the operating system or application 

care to not send AT commands while the modem is being program 96) via the logic unit and decoder 97 of the CPU 92. 

used by another application. Examples of microprocessors which allows for microcode 

2. Modem to Server Functions 65 patching are the Pentium Pro and Pentium II processors 
For the Modem Agent to communicate with the host developed by Intel Corporation. Of course it is also possible 

monitoring server, a set of functions are required to: to implement the Agent in microcode or in logic circuitry 



09/20/2004, EAST Version: 1.4.1 



US 6,300,863 Bl 



25 



26 



inside the CPU during the manufacturing process in addition 
to the patching facility or exclusive of. the patching facility 
of the CPU. 

The CPU Agent may be configured to communicate with 
the host monitoring server via modem call and/or internet. 
Hardware Agent 

The Agent may be implemented in hard wired circuitry or 
a single integrated circuit using existing technology which 
takes an engineer's logic specification and translates into the 
data which is used to program, build, or design the hardware 
device or circuit. The hardware device or circuit would then 
execute according to the engineer's logic specification and 
perform the functions of the Agent by establishing a com- 
munications link and sending and receiving data packets ia 
order to establish both the identification and location of the 
electronic device within which the hardware device or 
circuit is included, thereby simulating the algorithmic func- 
tion of the Agent. 

Host Identification and Filtering System 

The Host Identification and Filtering System identifies 
and filters out unwanted calls from agents. FIG. 9 is a flow 
diagram of the host identification and filtering program 
executed by host computer 3. Once the security program is 
executed 26, the voice board waits 27 for the ring signal on 
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computer, in total, dials six numbers 172 in order to convey 
its six-digit serial number to the host. 

In order to accommodate this method of serial number 
coding, the host monitoring system needs to subscribe to 
sixty different phone numbers. All sixty numbers should 
have the same first eight digits, and only vary from one 
another with respect to the last two digits. The ninth digit 
need only vary from "1" through "6" corresponding to the 
six digits within a serial code. However, the last digit must 
vary from "0" to "9". 

Referring to FIG. 10B, the encoding methodology can 
alternatively be modified such that the client computer need 
only call the host three times to convey its serial number 
180. According to this coding method, two digits of the 
serial number 186 would be transmitted in each call. Thus, 
the eighth dialed digit 185 would vary from "1" to "3", 
corresponding to the three packets of two digits 186 that 
make up the serial number 180. The ninth and tenth dialed 
digits 186 would vary from "0" through "9". However, this 
would require the operator of the monitoring system to 
subscribe to three hundred different phone numbers. 
Host Processing, Auditing and Communication Subsystem 

The host processing, auditing and communication sub- 
system receives and transmits information to and from 



the telephone line 1. When a ring signal is detected 28, the 25 clients. FIG. 11A is a flow diagram of the host communi- 
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voice board 2 acknowledges the incoming call by sending a 
signal to the telephone company 9B via telephone line 1 
requesting that the caller ID and the dialed numbers be sent 
to it. The voice board then waits until these numbers are 
received 29, 30. 

Once the caller ID and the dialed numbers have been 
received, they are saved to the hard disk 31, 32. The security 
program then compares the dialed numbers 33, which pro- 
vide an encoded version of the serial number of the chent 
computer 10 (coding scheme explained in detail below), 
against a list of serial numbers stored on the hard disk 4. If 
no match is found, the program lets the phone ring until the 
client computer 10 hangs up the telephone line 34. In the 
preferred embodiment, the client computer is programmed 
to hang up after 30 seconds of unanswered ringing. 
However, if a match is found, the security program routes 
the call to an appropriate receiving fine connected to a 
modem 35, which answers the call. In an alternative 
embodiment, the host 3 answer all calls and the serial 
number of the client computer 10 is provided in a separate 45 
subsequent call from the client computer 10. 
Encoding of the Client Computer Serial Number 

Referring to FIG. 10 A in one embodiment of the 
invention, the serial number of client computer 10 is 
encoded within the dialed numbers it sends to the host 3. In 
the preferred encoding methodology, the client computer 
transmits its six digit serial number 170 to the host via a 
series of six complete dialed phone numbers 172. The first 
eight dialed digits after the first "1" are meaningless. The 
ninth dialed digit "N" 175, indicates which digit position 
within the serial number that the tenth dialed number 
corresponds to. The tenth dialed digit "D" provides the Nth 
digit of the serial number. The host computer 3 receives the 
six complete dialed phone numbers 172 and decodes them 
173 by looking at only the ninth and tenth dialed digits. The 
client computer serial number 174 is thus reproduced. 

For example, in the sequence "800-996-5511", the only 
relevant digits are the "11" portion. The first "1" indicates 
that the digit immediate to its right (1) is the first digit in the 
serial number. Similarly, in the sequence "800-996-5526", 
the "2" indicates that the number immediate to its right (6) 
is the second number in the serial number. The client 



cation program executed by host computer 3. After the host 
computer 3 is powered on 36, communication equipment is 
instructed to wait 37 for the telecommunication begin signal 
from the chent computer 10. The telecommunication equip- 
ment acknowledges the begin signal by initiating a session 
to communicate with the client computer 38 and preparing 
the host to receive data packets from the client 39. The 
program first establishes that the client computer is sending 
data packets and that it has received all of the packets 40, 41. 
Next, the program determines if the client has any data or 
commands to be sent to the host 42. If not, the session is 
terminated 43, and the cycle is repeated 37. When all data 
packets have been received, the program permits the host to 
send data packets to the client computer. The program 
prepares to send data packets 44, and then establishes that 
there are more data packets to be sent 45 before sending each 
packet 46. Once all data packets have been sent, the program 
terminates the session 43, hangs up the phone, and prepares 
to repeat the entire cycle 37. Host-side source codes are 
disclosed in the copending patent apphcation Ser. Nos. 
08/826,098 and 08/558,432 which had been incorporated by 
-reference here. 

/ Referring to FIG. 11B, the host processing, auditing and 
/ communication subsystem for the Internet application 
5(J receives and transmits information to and from clients over 
the Internet. FIG. 11B is a flow diagram of the host com- 
munication program executed by host computer 3 in con- 
nection with the Internet application. After the host com- 
puter is powered on 36a, TCP/IP support is loaded and the 
computer waits for a DNS query from the client computer 
366. The host name is then extracted from the DNS query 
36c. Next, the DNS request is decoded to determine the 
chent computer identification 2>6d A check is made to 
determine whether the computer has been stolen 36e This is 
6d accomplished by comparing the identification number of the 
\ client computer with a list of reported lost or stolen com- 
puters which is stored by the host computer. If it has been 
stolen a suitable message 36/ is returned^ to the chent 
computer 10. In the preferred embodiment, the message is 
provided by setting the IP address of the next transmission 
to the chent computer to "204.174.10.1" 36/ If the client 
computer is not stolen, an alternate message is returned 36g. 



65 
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In the preferred embodiment this is achieved by setting the 
IP address to "207.174.10.16" 36g. The host uses either of 
these two IP addresses to form a response to the DNS query 
received from the client computer 36h. The host then sends 
its response to the client computer 36*. The host also records 5 
the transaction on the hard disk. The host then prepares to 
repeat the entire cycle 36b. 

Referring to FIG. 11C, the manner in which client iden- 
tification is encoded is illustrated. FIG. 11C shows the 
various components of a host name which is used to form a to 
DNS request. The host name, according to one embodiment 
of the invention, is a string of characters including the date 
and time 37, encoded client identification 38, and domain 
name 39. The encoded client identification 38 is extracted 
from the host name for decoding at the host Internet sub- 15 
system 9y. 

Host Notification Subsystem 

The host notification subsystem notifies the end-users 
regarding the status of their electronic devices. In FIG. 1, 
various methods of notification such as; electronic mail Nl, 20 
fax N2, paging N4, and telephone call N3, are depicted. FIG. 
12 is a flow diagram of the host notification program 
executed by host computer 3. The host notification program 
determines whether there are any pending notification 
instructions or commands 48. If there are pending 25 
notifications, the information is retrieved 49. The program 
then determines the preferred preselected notification 
method 50, and formulates the message to be dispatched 51 
according to the preselected notification method. This mes- 
sage is dispatched to the end-user 52. After dispatching the 30 
message, the program repeats the entire cycle 47. Host-side 
source codes are disclosed in the copending patent applica- 
tion Ser. Nos. 08/826,098 and 08/558,432 which had been 
incorporated by reference herein. 

Variations and Alternatives 35 

The above description relates to the agent security system 
installed and operating in a conventional PC with an Intel 
80X86 microprocessor or equivalent and with a conven- 
tional MS-DOS or PC-DOS operating system. It will be 
recognized that the system can be modified to fit other types 40 
of computers including, for example, those sold under the 
trademark Macintosh. The system can easily be modified to 
suit other types of operating systems or computers as they 
develop. 

The above system is also intended to be added to existing 45 
computers without physical alteration. Another approach is 
to modify the ROM of such computers to contain the agent 
security system as shown in FIG. 14D. The agent security 
system also may be incorporated into the ROM of portable 
computers, cellular telephones or other such items when 50 
they are manufactured. FIG. 14D above describes the load- 
ing of the system from such a modified ROM. 

One embodiment of the invention uses a modem con- 
nected or built-in to a computer. In the future it is likely that 
telephone systems will be digitized, thus obviating the need 55 
for a modem. The scope of this invention contemplates such 
digitized systems. 

The system could also be included in the ROM of a 
cellular telephone. In this case, the program would hide the 
outgoing calls from the user by silencing audio signals and 60 
maintaining a normal screen display. It is also conceivable 
that portable computers can be supplied with integral cel- 
lular telephones modified in this manner or with some other 
telecommunication device. 

The main telecommunication criteria for this agent secu- 65 
rity system is that the outgoing transmission (wire, radio 
signal or otherwise) be received by a switching mechanism, 
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and contain information that causes the switching mecha- 
nism to forward the information received to a remote station. 
Presently, this information is a telephone number and/or a 
DNS query. But other indicia of the remote station may be 
substituted in alternative switchable communications sys- 
tems without departing from the scope of this invention. 
Covering Peripherals and Software 

Referring now to FIG. 16, modern electronic devices, 
such as personal computer 400, are associated with a large 
number of valuable assets in the form of internal compo- 
nents such as processor 402 and option card 404, attached 
peripherals such as printer 406, keyboard 408, mouse 410 
and modem 412, and installed software programs such as 
installed program 414. 

The security function of the agent discussed above may be 
extended to encompass identifying, listing, reporting, locat- 
ing and recovering these associated assets. This method and 
apparatus could also be used to reliably track and manage 
the type of assets being deployed in an organization's work 
force. This method can immediately report the variance 
should any unauthorized component change take place. 

This security apparatus and method utilizes a hidden, 
tamper-proof agent 416 installed on an electronic device 
such as computer 400 for initiating communications and 
locating electronic devices as previously disclosed herein. 
The agent is also capable of determining the identifying 
indicia, such as a unique serial number, of a component or 
peripheral. 

Referring now to FIG. 17 A, each computer, peripheral 
and component such as computer 400, CPU 402, option card 
404, printer 406, keyboard 408, mouse 410 modem 412, and 
software program 414, and agent 416 or other associated 
peripheral or component are assigned an identifying indicia, 
such as unique serial numbers 401, 403, 405, 407, 409, 411, 
413, 415 and 417 respectively. The serial number of each 
component comes from the manufacturer or is embedded at 
the time of assembly or installation of the component, 
peripheral or software. 

Referring now to FIG. 17B, at step 420, agent 416 within 
an electronic device such as computer 400 periodically 
gathers the serial numbers 401, 403, 405, 407, 409, 411, 413, 
415 and 417 of computer 400 and each of the components 
and software 402, 404, 406, 408, 410, 412, 414 and 416 
respectively. On a regular basis, or in the event of a variance 
between a stored string of previously recorded serial 
numbers, at step 422 agent 416 transmits its electronic serial 
number 417 plus the string of discovered serial numbers as 
serial string 424 to the server The server stores serial string 
424 or a validation key 428 derived from serial string 424 in 
a database. 

The component validation key is comprised of the agent's 
ESN and all the serial numbers of the associated compo- 
nents. One method is to string the ESN and serial numbers 
end-to-end. This method is illustrated in FIG. 2. 

After formulating validation key 428, agent 416 sends 
validation key 428 to server 430. The identity and the 
location of agent 416 is recorded, as previously disclosed, 
and validation key 428 is archived on storage device 432. All 
further communications with agent 416 cause server 430 to 
check subsequently transmitted validation key 429 for vari- 
ances against the original archived validation key 428. 
Server 430 may also check validation key 428 against 
records of stolen components or software. Any discrepancies 
may be queued for appropriate action. 

When new components and software are added to an 
existing configuration, validation key 428 will change to 
reflect the configuration modifications. Each modification so 
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detected, will cause a variance in validation key 428. These 
variances will be checked against stored information 434 at 
server 430 and validated. The validation process will include 
checks against records 435-439 of stolen components and 
software, such as record 439 of duplicated identification 
numbers (as commonly occurs in component and software 
piracy), and records 440 authenticating proper final assem- 
bly by manufacturers. This validation process in illustrated 
in FIG. 19. 

Manufacturers experience losses of components and soft- 
ware before final assembly of the electronic unit. Since this 
method and apparatus identifies and locates individual com- 
ponents and software, the information collected may be used 
to initiate recovery of specific components and software as 
well as the complete unit. If the electronic device, such as a 
PC, is misappropriated before final assembly, some of the 
components may not yet have been imprinted with a unique 
number. The absence of this number may also be an indi- 
cator of an invalid or illegal configuration. 

The Agent can also be used to regularly upload the 
system, software & hardware configuration information of 
the Personal Computer. The agent is capable of reading a 
hidden file termed the "PC's Birth Certificate". 
Birth Certificate" Repository & Reader 

PC "Birth Certificate" 450 refers to a small data file 451 
which contains certain static and dynamic information per- 
taining to a specific PC such as PC 456 or portable 458 
(serial number, asset tag number, invoice information, etc.). 
The creation, content, and format of the Birth Certificate 450 
is configurable. 

The agent may provide a method for encrypting and 
storing Birth Certificate 450 in a protected area 460 of PC 
hard-disk 462. 

The agent retrieves the Birth Certificate using a Reader 
program which serves as a secure key. Only personnel in 
possession of a "master" Reader 452, or customers who have 
licensed a "private" Reader 454 will be able to access Birth 
Certificate information. The Reader may reside on a floppy 
disk such as disk 452 or 454. 
Remote Computer Monitoring Software 

Agent 464 silently calls into monitoring center 472 on a 
periodic (programmable) basis. Call and other PC asset 
management activity is logged, and reported to customers 
on-demand via the web -based Online Monitoring Service 
468. The online monitoring service database 470 may 
include the following: 

Call-in phone number (retrieval option includes: name 
and address), 

Birth Certificate information such as file 451, 

Dynamic System information files such as file 476 
(NetCensus, Asset Insight, etc.) 

Customer-created information files such as file 474 

The above data will be collected, aggregated per 
customer, and sent to a 3 rd party data center on a regular 
basis. Stand-alone systems such as system 476 may be 
installed within the data center, or on-site at customer 
locations. 

CompuTracc is designed as a system to track the physical 
location of computers. The CompuTrace Agent such as 
agent A of FIG. 1 is installed on a remote computer Al to be 
monitored and through the use of (i) the public switched 
telephone network Bl, (ii) the Internet B5, and (iii) local 
area networks B7, the CompuTrace server 3 maintains a 
database of records on computer Al's location and move- 
ments. 

Tracking information is collected during periodic tele- 
phone calls to the CompuTrace server 3; wherein server 3 
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identifies the unique agent A and obtains the phone number 

. . . from which, that caU has. been, made 

Once installed, the operation of the remote CompuTrace 
software is invisible to the user, and calls are made without 
5 the user's explicit awareness. 

Overview of the CompuTrace BIOS Agent. 
The core function of the CompuTrace Agent such as agent 
A, is to initiate independent transactions with a monitoring 
server 3 at regular intervals. This function has been adapted 
10 to work under an SMM environment. This subset of agent 
functionality is described as the Secure Protocol Component 
752 (SPC) shown in FIG. 7A. 

SMM is triggered by a System Management Interrupt 
(SMI) event. These SMI events are triggered by hardware 
and are serviced in Operating System (OS) independent 
15 memory space. This feature of SMM enhances the security 
of the SPC by effectively hiding the SPC from applications 
executing under the control of the OS. 

The technical challenge is to successfully establish a link 
with the monitoring server and reliably send and receive 
20 packets of data from the SMM environment, which (because 
it executes outside of OS control) is restricted in both the 
frequency and latency of SMI events. 
The Server Interface 

In order to understand the role of the SPC, it is necessary 
25 to describe its interface with the monitoring server. The 
subset of transactions described below are the minimum 
required to perform the security function of a CompuTrace 
Agent. 

A CompuTrace SPC transaction consists of the following 
30 steps: 

Step 652, The SPC initiates communication link 654 to the 

CompuTrace Server, 
The SPC and Server connect, 

The SPC reports the remote computer's time/date and the 
35 CompuTrace ID number, 

The Server logs this data and determines the status of the 
remote computer, 

The Server sends a series of commands to the SPC, 

The Telephone call is terminated. 
40 Server to SPC commands supported by the SPC are as 

follows: 

Set next call date 

Notifies the SPC of the date and time at which to perform the 
next call-out. This function is executed as a standard part 
45 of every call-out transaction. 
Set callout phone number 

Notifies the SPC of a new phone number to which it should 
direct its call-outs. The SPC will direct all subsequent 
call-outs to this phone number until otherwise instructed. 
50 Disable CompuTrace 

The SPC is disabled and will not call out within the natural 
lifetime of the unit. May be implemented as a sub- 
function of "Set next call date." 

The Event Loop of the SPC: 
55 The SPC is constructed as a timed event-driven state 
machine. A simplified diagram of event loop 602 is 
illustrated in FIG. 21. 

At the top center of the diagram, Trigger 600 is shown to 
drive the timing of events to the state machine of the SPC. 
60 Trigger 600 is activated at regular frequencies, but the 
exact frequency of the Triggers is relatively unimportant 
to the successful operation of the SPG 

As illustrated, the sources of the Trigger are Slow 604 (in the 
range of 0.25 seconds to 15 minutes) and Fast 606 (in the 
65 range of 0.25 seconds to 3 seconds). Sources Slow 604 
and Fast 606 are determined by the current execution state 
608 of the SPC. 
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In the initial execution state the Trigger source is Slow 604, In the initial implementation, the triggers are generated by 

the execution state 608 is false, and Time Out state 610 is the legacyUSB timer, which is shared by the legacy USB 

calculated to determine if Time to Call 612 should be code. If the legacy USB support is not enabled, the timer 

evaluated (exceeding Next Call Out Date). If it is Time to can be controlled directly or shared with another function. 

Call, execution state 608 of the SPC is changed to Start 5 This code requirement is fairly small since it is imple- 

Call 614. Start Call state 614 sets the execution state 608 mcnted b sharin ejdstin functions for manipulating the 

true and all Active execution states use Fast 606 source. chipset 

Fast 606 source drives the evaluation of all commumca- ^ housek k code does not need to ^ entirel ^ 

tion states as well as some additional housekeeping states. n ^ ci . nt _ * c a - ft . . , ^. tftnt fi„™t™ 

While execution state 608 is true, the Time Out state 611 is in P os < *P a <* • ^ ? * > ^SS^^SSS 

evaluated at the rate of Fast 606. If there is no Time Out, 10 ° eeds t0 b K e °™ *Z * j**™*.** ^ CD 

execution state 616 will Execute and be evaluated at 618 device, or b e oth - This data can be stored in semi-persistent 

to determine if the SPC should Advance to Next state 620. data f ace from ™ ihm the SPC > ™ ch 35 CM0S > and lhen 

The execution state of the SPC will remain unchanged transferred to more persistent storage, such as the flash 

until each state is evaluated successfully or a Time Out device, during the next boot cycle, 

occurs. In the event that a Time Out occurs, the state will 15 Th* interface code for a software driver needs to be imple- 

Retry 619 as appropriate or assume an Error state 621. mented and will use the standard software SMI mecha- 

[Note that there are some special communications driven nisms. 

error states not shown on this simplified diagram.] This additional code should take no more than 2K 

Upon the successful completion of all execution states 608, compressed, for a total of no more than 4K of flash real 

execution state 608 is reset to false and Slow 604 Trigger 20 estate. The dynamic requirements are around 2K of SMM 

again drives the state machine to evaluate the Time to Call space in the current implementation, but the SMM han- 

conctition. dler can vary the location of the SPC code. Some key parts 

Communications in the SPC: of the SPC, especially the writeable data segment, must 

The communications in the SPC are not interrupt driven in remain in SMM space. Currently this data segment is only 

the conventional sense. Driving communications with 25 about 48 bytes but may need to grow to around 100 bytes 

UART interrupts would conflict with the requirements of if required. If the state machine can also be contained in 

SMM. The communications and the communication pro- SMM space, the security of the SPC is enhanced, 

tocol are driven by the Fast Trigger source explained The SPC Drivers 

above. Remember that the Fast Trigger source can be The SPC can be supplemented by software drivers: 

varied in the range of 0.25 seconds to 3 seconds as 30 Since the SPC is a subset of the existing product, the full 

required to improve the latency of SMM. functionality of CompuTrace will be provided by operat- 

The Basic Protocol of the SPC is illustrated in FIG. 22. This ing system dependent drivers. The CompuTrace Agent 

figure applies to the execution of the communication state drivers have been developed for DOS, Win 31, Win 95, 

subset of all Active states of the SPC. and Win NT. 

Transaction 630 begins at Compare UART state 632. The 35 These drivers will be enhanced to detect and communicate 

status of the UART is compared and evaluated to deter- with the SPC. The API for communicating with the SPC 

mine if activity has occurred outside of the execution will closely parallel the communications interface with 

environment of the SPC. In this simplified drawing of the Server. Tlie drivers will deposit transactions for the 

contention handling, if No Activity is detected, commu- SPC to process when activated at a later time. By design- 

nications continue at step 638, otherwise, if DTR 634 has 40 ing the API in this fashion, the resource requirements of 

been reset, the communications will Abort at step 636. If the SPC will be minimized. 

DTR 634 is still active, the call will Hang-up at step 640. An illustration of the relationship between the software 
Transaction packets 631 with the monitoring server 633 are drivers and the SPC is contained in FIG. 23. This figure 
designed to fit within FIFO 635 of a UART 637. This shows how the SPC is a security backup for the drivers 
enables a polling method of communications in which the 45 and is usually disabled by transactions with software 
XMIT FIFO of the UART is filled with 16 bytes, or drivers. If the software drivers have not communicated 
RECEIVER 639 is read for 16 bytes at each Fast 606 recently with the SPC, the SPC will automatically corn- 
Trigger as appropriate. plete the transaction with the monitoring server. 
If in a XMIT state 638, the SPC will Build the Packet 642, OEM configurations of the SPC: 
calculate the CRC 644, and then fill the FIFO of the 50 We have identified four potential OEM configurations which 
UART with up to 16 bytes 646. The SPC returns to the OS embed the SPC. 
and waits for the next Fast 606 Trigger. Packet data 631 The SPC is disabled 

sits in FIFO 635 of UART 637 awaiting transmission Provided for future use by the full CompuTrace driver suite, 

across the link. " The SPC operates independently 

If in a RECEIVE state 648, the SPC will Get the FIFO data 55 Provided for protecting the unit from the point of 

for up to 16 bytes 650, check the CRC 652, and Decode manufacture, through the channel, then disabled when 

the Packet 654. The receive FIFO of the UART may be identified as a legitimate sale. 

empty, contain some of the packet bytes, or all of the The SPC is bundled with the full CompuTrace driver suite, 

packet bytes. The SPC did not need to respond to a UART Provided as a value-added service for end-users direct from 

interrupt and returns to the OS to wait until the next Fast 60 the point of manufacture. 

Trigger to complete the transaction. The SPC operates independently and is bundled with the full 

Resources for the SPC: CompuTrace driver suite. 

The actual size of the SPC can only be estimated until A combination of channel protection and value-added pic- 

implemented in a specific BIOS, but the protocol and tection for the end-user. 

housekeeping code fit in about 2K. Extra code will be 65 This application contemplates sending and receiving sig- 

required to provide the Slow and Fast Triggers and to nals from a client computer to a host system through a global 

manipulate configuration data. network system. The Internet- has been described in this 
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application as merely one application of the invention. It is 
contemplated that this invention can and will, be applied to 
other global network systems. Thus, the specific disclosure 
addressed to the Internet should not be construed as a 
limitation as to the scope of the invention* but rather should 
be considered to be merely one embodiment of the inven- 
tion. 

It will be understood by someone skilled in the art that 
many of the details described above are by way of example 
only and are not intended to limit the scope of the inventioo 
which is to be interpreted with reference to the claims which 
follow. 

We claim: 

1. A method for tracing an electronic device having an 
agent initiating communication and providing identifying 
indicia to a host system, said electronic device connectable 
to said host system through a global network, said method 
comprising the steps of: 

automatically providing said host system with said iden- 
tifying indicia through said global network for deter- 
mining the identity of said electronic device; and 

providing said host system with one or more global 
network communication links used to enable transmis- 
sion between said electronic device and said host 
system, said transmission via said communication links 
used for determining the location of said electronic 
device. 

2. The method of claim 1 wherein said global network 
includes Internet. 

3. The method of claim 1 wherein said electronic device 
is further connected to said host system through a telephone 
network, and said method further comprising the steps of: 

providing said identifying indicia to said host system 
through said telephone network; and 
determining the location of said electronic device by tracing 
the source of said identifying indicia within said telephone 
network. 

4. The method of claim 1 wherein said electronic device 
is further connected to said host system through a cablevi- 
sion network, and said method further comprising the steps 
of: 

providing said identifying indicia to said host system 
through said cablevision network; and 
determining the location of said electronic device by tracing 
the source of said identifying indicia within said cablevision 
network. 

5. The method of claim 1 wherein said electronic device 
is further connected to said host system through a wireless 
radio frequency network, and said method further compris- 
ing the steps of 

providing said identifying indicia to said host system 
through said wireless radio frequency network; and 

determining the location of said electronic device by 
tracing the source of said identifying indicia within said 
wireless radio frequency network. 

6. The method of claim 1 wherein said electronic device 
is further connected to said host system through a wireless 
microwave network, and said method further comprising the 
steps of: 

providing said identifying indicia to said host system 
through said wireless microwave network; and 

determining the location of said electronic device by 
tracing the source of said identifying indicia within said 
wireless microwave network. 

7. The method of claim 3 wherein said step of providing 
said host system with said identifying indicia through said 
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global network, and said step of providing said identifying 
. indicia to said. host. system through said telephone network 
occur at predetermined intervals. 

8. The method of claim 7 wherein said electronic device 
5 is lost or stolen and said method further including the step 

of tracing lost or stolen electronic devices. 

9. The method of claim 2 wherein said step of providing 
said host system with said one or more of the Internet 
communication links i accomplished using a traceroute 

lQ routine. 

10. The method of claim 1 wherein said step of providing 
said host system with said identifying indicia is accom- 
plished by sending a data packet including address infor- 
mation relating to the source of the global network trans- 
mission. 

15 11. The method of claim 2 wherein said step of providing 
said host system with said identifying indicia is accom- 
plished by sending a domain name service query with said 
identifying indicia encoded therein. 

12. The method of claim 2 further including the step of 
20 providing a list of lost or stolen electronic devices to said 

host system and comparing said list of lost or stolen elec- 
tronic devices with said identifying indicia to determine if 
said electronic device is lost or stolen. 

13. The method of claim 12 wherein said host system 
25 sends a signal through said Internet to said electronic device 

if it is determined to be lost or stolen indicating that said lost 
or stolen electronic device should initiate a traceroute rou- 
tine. 

14. The method of claim 12 wherein said host system 
^ o sends a signal through said Internet to said electronic device 

if it has been determined to be lost or stolen indicating that 
said electronic device should initiate a call to said host 
system via said telephone network. 

15. The method of claim 11 wherein said identifying 
indicia is encoded within said domain name service query 

3S according to a predetermined scheme. 

16. The method of claim 15 wherein said host system 
decodes said identifying indicia to determine the identity of 
said electronic device. 

17. The method of claim 1 wherein said electronic device 
40 is a computer having a hard drive. 

18. The method of claim 17 further including the step of 
providing said agent with deflection means to enable said 
agent to resist disablement attempts and evade detection. 

19. The method of claim 18 wherein said deflection means 
45 deflects read and write attempts to the location where said 

agent is disposed. 

20. The method of claim 1 wherein said step of evading 
detection is accomplished by providing an agent which is 
operable without interfering with the normal operation of 

50 said electronic device. 

21. The method of claim 17 wherein said step of loading 
said agent within said computer is accomplished by loading 
said agent within the boot sector of said hard drive. 

22. The method of claim 17 wherein said step of loading 
55 said agent within said computer is accomplished by loading 

said agent within the partition sector of said hard drive. 

23. The method of claim 17 wherein said step of loading 
said agent within said computer is accomplished by loading 
said agent within an operating system file on said hard drive. 

60 24. The method of claim 23 wherein said operating 
system is MS-DOS and said operating system file is IO.SYS. 

25. The method of claim 23 wherein said operating 
system is PC-DOS and said operating system file is IBM- 
BIO.COM. 

6S 26. The method of claim 17 wherein said step of loading 
said agent within said computer is accomplished by loading 
said agent on the ROM BIOS. 
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27. The method of claim 17 wherein said agent is a 44. The method of claim 43 wherein the Agent is encoded 
terminated and stay resident program. . in one or more device components in the. electronic- device,- 

28. The method of claim 17 wherein said agent is a virtual including internal non-volatile memory device, communi- 
device driver program. cation device, processor, digital signal processor, integrated 

29. The method of claim 17 wherein said agent is an 5 c ; rcu i t anc j hardware circuit. 

ap Sli C ^ 0a pi °??r ; C1 45. The method of claim 44 wherein the internal non- 

30. The method of claim 17 wherein said agent is a file volatilc memory dcvice includes one of ROM BIOS, ROM, 
tiller Program. . . EPROM, EEPROM and Flash ROM. 

? h- T , h ,H g T PF0Vl f 65 46 ™ e method of claim 44 wherein 1156 communication 

said identifying indicia automatically and without user inter- ^ . . , 

vention device is a modem. 

Ve 32°The method of claim 31 wherein said step of providing 47 ' ™ e method ?[ ^ 46 wherein the Agent establishes 

said hostsystem with said identifying indicia occurs without communication with the host system by using a command 

causing audible or visible signals to be emitted from said Unction which initializes the communication and a call 

electronic device management function which interfaces with the host system. 

33. The method of claim 2 wherein the communication 15 48 ^ method of claim 44 wherein the Agent establishes 
link between said electronic device and said host system is communication with the host system independent of normal 
provided through a link to a private network connection to operations of the electronic device. 

the Internet. 49. The method of claim 42 wherein the Agent is activated 

34. The method of claim 2 wherein the communication independent of normal system operations of the electronic 
link between said electronic device and said host system is 20 device. 

provided through a telephone line connected to an Internet 50. The method of claim 42 wherein the Agent is activated 

provider. prior to normal system operations of the electronic device. 

35. The method of claim 1 further comprising the step of 51. The method of claim 49 wherein the Agent is activated 
assigning said identifying indicia to said agent wherein said by loading into an internal volatile memory and running the 
identifying indicia comprises a unique electronic serial 25 Agent pr - or to activating normal system operations of the 
number, said electronic serial number for enabling the electronic device. 

determination of the identity of said electronic device asso- 52 . Th e method of claim 50 further comprising the steps 

ciated with said agent. 0 f. 

36. The method of claim 1 further comprising the step of checking whether lhe AguA fa also found on a hard 
loading said agent within said electronic device for with said 30 within ^ electroni cd evic e ; an d 

host system such that said agent evades detection. . , J . 

37. A method for monitoring an electronic device con- «» Agent to the hard disk prior to loading and 
nectable to a host system through a global network, said raoninglheAgeDt a s 
electronic device having an agent, said agent providing 53 ' 71,(5 ? ethod of claun 44 wherein a 6151 component of 
identifying indicia for determining the identity of said 35 the A & tat * P rovided f a ^ device »mponent and a 
electronic device, said method comprising the steps of: «**? nd component of the Agent is provided in a second 

loading said agent within said device such that said agent evic» component. . c 

. T_ . , .. . 54. The method ot claim 53 wherein the first component 

evades detection; and . , . . . . . * 

^. „ ... ... ., .... of the Agent includes a secure protocol component of the 

automatically providmg said host system with said iden- ^ CQt whkh omma&sites ^ the elcctronic devicc - s 

ti lying indicia through said network without causing 40 0 ^ rat ; np system 

audible or visual signals to be emitted from said 55 ^ method of claim g4 wherein ^ ^ immedi . 

le T 0 ™.^". . , , ately establishes the communication link with the host 

38. The method of claim 37 wherein said electronic tQ ^ identifyin mdicia of ^ electronic 

devjee is further connected to said host system through a devfce ^ the ^ 0 , ^, onent faik t0 

telephone network, and sari method further includes the step 45 communicaUon ^ ^ operating F system . 

of providing said identifying indicia to said host system $6 ^ method of claim „ s^ein ^ deyice 

mrough said telephone network^ component includes a hard disk drive. 

39. The method of claim 37 wherem said step of providing 5? ^ ^ within m elcctronic device m . 

said identifying indicia occurs automatically and without * F • *■ • *■ -*u t. . ■* ■ 

J & . 1 agent for initiating communication with a host monitoring 

human intervention. 50 * » T- -j *-c • • j- • . u > ■ ~ 

><a tu «u j * i ■ 10 u . « r ... system and providing identifying indicia to a host monitor- 

^The method of claim 38 wterem said step of providing . said electronic device connectable to said host 

said host system with said identifying indicia through said ffioaitori s ^ em mrough a gj obal network , said apparatus 

global network, and said step of providmg said identifying comprising* 

indicia to said host system through said telephone network 7 .«■... 

occur at predetermined intervals. 55 means for automatically providmg said host monitoring 

41. The method of claim 36 wherein said global network system with said identifying indicia through said global 
is the Internet and said step of providing said identifying networic for determining the identity of said electronic 
indicia is accomplished by encoding a domain name service device; 

query to include said identifying indicia. means for providing said host monitoring system with one 

42. The method of claim 7 or 40 wherein said step of 60 or more global network communication links used to 
providing said host system with said identifying indicia enable transmission between said electronic device and 
through said global network, and said step of providing said Q0S * monitoring system; and 

identifying indicia to said host system through said tele- means for assisting the host monitoring system to deter- 

phone network occur simultaneously. mine the location of said electronic device by tracing 

43. The method of claim 1 wherein the Agent is encoded 65 said communication links. 

in one or more forms, including software, firmware and 58. The apparatus of claim 57 wherein said electronic 

hardware. device is further connected to said host monitoring system 
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through a cablevision network, and said apparatus further identifying indicia comprises a unique electronic serial 

includes means for providing said identifying indicia to said number, said electronic serial number for- enabling the 

host monitoring system through said cablevision network, determination of the identity of said electronic device asso- 

and means for determining the location of said electronic ciated with said aeent 

device by tracing the source of said identifying indicia 5 75 Xhe ms of daim 5? wherein w electronic 

within said cablevision network. , . . t _v . . . , . . 

59. Hie apparatus of claim 57 wherein said electronic further conQected to said host monitoring system 
device is further connected to said host monitoring system mrou S h a telephone network, and said apparatus further 
through a wireless radio frequency network, and said appa- deludes means for providing said identifying indicia to said 
ratus further includes mean, for providing said identifying 10 host monit °rmg system through said telephone network, and 
indicia to said host monitoring system through said wireless means for determining the location of said electronic device 
radio frequency network, and means for determining the by tracing the source of said identifying indicia within said 
location of said electronic device by tracing the source of telephone network. 

said identifying indicia within said wireless radio frequency 76. The apparatus of claim 75 wherein said means for 

network. 15 providing said host monitoring system with said identifying 

60. The apparatus of claim 57 wherein said electronic indicia through said global network, and said means for 
device is further connected to said host monitoring system providing said identifying indicia to said host monitoring 
through a wireless microwave network, and said apparatus system through said telephone network operate at predeter- 
further includes means for providing said identifying indicia mined intervals. 

to said host monitoring system through said wireless micro- 20 77. The apparatus of claim 75 wherein said electronic 

wave network, and means for determining the location of device is lost or stolen. 

said electronic device by tracing the source of said identi- 78 . The apparatus of claim 75 further including means for 

fying indicia within said wireless microwave network. providing a list of lost or stolen electronic devices to said 

61. The apparatus of claim 57 wherein said electronic host monitoring system and means for comparing said list of 
device is a computer having a hard drive. 25 lost or stolen electronic devices with said identifying indicia 

62. The apparatus of claim 57 wherein said agent evades to determine if said electronic device is lost or stolen, 
detection by operating without interfering with the normal 79. The apparatus of claim 78 wherein said host moni- 
operation of said electronic device. toring system includes means for sending a signal through 

63. The apparatus of claim 57 wherein said means for the Internet to said electronic device if it is determined to be 
providing said host monitoring system with said identifying 30 fost Qr mdicatmg ^at Mid lost or stolen e i ec t r0 Qic 
indicia operates automatically and without user intervention. device should initiate said traceroute routine. 

64. The apparatus of claim 62 wherein said means for 80 . The apparatus of claim 78 wherein said host moni- 
providing said host monitoring system with said identifying toring system includes means for sending a signal through 
indicia for said electronic device occurs without causing the Internet to said electronic device if it is determined to be 
audible or visible signals to be emitted from said electronic lost or stolcn indicating that said lost or stolen electronic 
de ^i 3e ^n_ r device should initiate a call to said host monitoring system 

65. The apparatus of claim 57 wherein said global net- through said telephone network. 

work is the Internet. 81. The apparatus of claim 57 wherein the Agent is 

66. The apparatus of claim 65 wherein said agent is ^ encoded in one or more forms, including software, firmware 
provided with deflection means for evading detection and an d hardware. 

resfcting disablement. 82 . Tne apparatus of claim 81 wherein the Agent is 

67. The apparatus of claim 66 wherein said deflection , , - , 4 . 4 , , ^ 

rr ^ ^cum wu^i^m »<iiu i*uu,uuu encoded in one or more device components m the electronic 

means deflect read and write attempts to the location on said device, including internal non-volatile memory device, corn- 
hard drive where said agent is disposed. 45 munication device, processor, digital signal processor, inte- 

68. The apparatus of claim 65 wherein said identifying grated circuit and hardware circuit. 

indicia is encoded within a domain name service query. 83. The apparatus of claim 82 wherein the internal non- 
69. The apparatus of claim 68 wherein said host moni- volatile memory device includes one of ROM BIOS, ROM, 
toring system includes means for decoding said identifying EPROM, EEPROM and Flash ROM. 
indicia to determine the identity of said electronic device. 50 84. The apparatus of claim 83 wherein the communication 

70. The apparatus of claim 65 wherein said means for device is a modem. 

providing said host monitoring system with said one or more 85. The apparatus of claim 84 wherein the Agent com- 

global network communication links is accomplished using prises a command function which initializes communication 

a traceroute routine. wiln lhe host system an d a call management function which 

71. The apparatus of claim 65 wherein said Internet 55 ^rtaces with the host system. 

connection between said electronic device and said host 86 The apparatus of claim 82 wherein the Agent is 

monitoring system is provided through a link to a private configured to establish communication with the host system 

network connection to the Internet. independent of normal operations of the electronic device. 

72. The apparatus of claim 69 wherein said link to a 60 87. The apparatus of claim 83 wherein the Agent is 
private network connection to the Internet is a wireless link. configured to be activated independent of normal system 

73. The apparatus of claim 65 wherein said Internet operations of the electronic device. 

connection between said electronic device and said host g8. The apparatus of claim 87 wherein the Agent is 

monitoring system is provided through a telephone line configured to be activated prior to normal system operations 

connected to an Internet provider. 65 of the electronic device. 

74. The apparatus of claim 65 further including means for 89. The apparatus of claim 87 wherein the Agent is 
assigning said identifying indicia to said agent wherein said configured to be loaded into an internal volatile memory and 
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executed prior to activating normal system operations of the 
electronic device. 

90. The apparatus of claim 88 wherein the Agent is further 
configured to check whether the Agent is also found on a 
hard disk within the electronic device and copying the Agent 
to the hard disk prior to loading and running the Agent. 

91. The apparatus of claim 82 wherein a first component 
of the Agent is provided in a first device component and a 
second component of the Agent is provided in a second 
device component. 

92. The apparatus of claim 91 wherein the first component 
of the Agent includes a secure protocol component of the 
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Agent which communicates with the electronic device's 
operating system. 

93. The apparatus of claim 92 wherein, the Agent is 
configured to immediately establish the communication link 
with the host system to transmit the identifying indicia of the 
electronic device if the secure protocol component fails to 
establish communication with the operating system. 

94. The apparatus of claim 91 wherein the second internal 
memory device is a hard disk drive. 

***** 
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UNITED STATES PATENT AND TRADEMARK OFFICE 

CERTIFICATE OF CORRECTION 



PATENT NO. : 6,300,863 Bl Page 1 of 1 

DATED : October 9, 2001 

INVENTOR(S) : Cotichini et al. 



It is certified that error appears in the above-identified patent and that said Letters Patent is 
hereby corrected as shown below: 



Column 13, 

Line 1, after "ports" insert - to -. 
Column 34, 

Line 9, "i" should read - is --. 

Line 40, after "drive" insert - , and wherein the method further comprises the step of 
loading said agent within said computer ~. 
Line 47, "1" should read -- 18 --. 

Column 35, 

Line 60, after "claim" delete "7 or". 
Column 37, 

Line 10, "means," should read -- means --. 
Line 38, "is" should read - includes — . 

Lines 54 and 60, "said Internet connection" should read - communication ~. 
Line 58, "69" should read - 71 --. 

Column 38, 

Line 26, after "78" insert -- wherein said global network include the Internet and --. 



Signed and Sealed this 
Second Day of September, 2003 

JAMES E. ROGAN 
Director of the United States Patent and Trademark Office 
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